diff --git a/.gitignore b/.gitignore
index 9841e0daea..8195f14f24 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ Tools/NuGet/
*.ini
_themes*/
common/
+.vscode/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 1fc2ec8e56..1965f039f3 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,5 +1,160 @@
{
"redirections": [
+ {
+ "source_path": "windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/deviceinstanceservice-csp.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/cm-proxyentries-csp.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/bootstrap-csp.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-textinput.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-shell.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-rcspresence.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-otherassets.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-nfc.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-multivariant.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-modemconfigurations.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-messaging.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-internetexplorer.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-initialsetup.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-deviceinfo.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-calling.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-callandmessagingenhancement.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-automatictime.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-theme.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/wcd/wcd-embeddedlockdownprofiles.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/configure-mobile.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/lockdown-xml.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/mobile-lockdown-designer.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/provisioning-configure-mobile.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/provisioning-nfc.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/provisioning-package-splitter.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/settings-that-can-be-locked-down.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/mobile-devices/start-layout-xml-mobile.md",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/whats-new/windows-11.md",
+ "redirect_url": "/windows/whats-new/windows-11-whats-new",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/configuration/use-json-customize-start-menu-windows.md",
"redirect_url": "/windows/configuration/customize-start-menu-layout-windows-11",
@@ -6632,22 +6787,22 @@
},
{
"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
- "redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/lockdown-xml.md",
- "redirect_url": "/windows/configuration/mobile-devices/lockdown-xml",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/settings-that-can-be-locked-down.md",
- "redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/product-ids-in-windows-10-mobile.md",
- "redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -6677,7 +6832,7 @@
},
{
"source_path": "windows/manage/start-layout-xml-mobile.md",
- "redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -6842,7 +6997,7 @@
},
{
"source_path": "windows/deploy/provisioning-nfc.md",
- "redirect_url": "/windows/configuration/provisioning-packages/provisioning-nfc",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7597,7 +7752,7 @@
},
{
"source_path": "windows/configure/configure-mobile.md",
- "redirect_url": "/windows/configuration/mobile-devices/configure-mobile",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7762,7 +7917,7 @@
},
{
"source_path": "windows/configure/lockdown-xml.md",
- "redirect_url": "/windows/configuration/mobile-devices/lockdown-xml",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7782,12 +7937,12 @@
},
{
"source_path": "windows/configure/mobile-lockdown-designer.md",
- "redirect_url": "/windows/configuration/mobile-devices/mobile-lockdown-designer",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/product-ids-in-windows-10-mobile.md",
- "redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7817,7 +7972,7 @@
},
{
"source_path": "windows/configure/provisioning-configure-mobile.md",
- "redirect_url": "/windows/configuration/mobile-devices/provisioning-configure-mobile",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7842,12 +7997,12 @@
},
{
"source_path": "windows/configure/provisioning-nfc.md",
- "redirect_url": "/windows/configuration/mobile-devices/provisioning-nfc",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/provisioning-package-splitter.md",
- "redirect_url": "/windows/configuration/mobile-devices/provisioning-package-splitter",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7887,7 +8042,7 @@
},
{
"source_path": "windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
- "redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7897,7 +8052,7 @@
},
{
"source_path": "windows/configure/settings-that-can-be-locked-down.md",
- "redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -7907,7 +8062,7 @@
},
{
"source_path": "windows/configure/start-layout-xml-mobile.md",
- "redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile",
+ "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@@ -18956,11 +19111,97 @@
"redirect_document_id": false
},
{
- "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md",
- "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance",
+ "source_path": "windows/security/identity-protection/change-history-for-access-protection.md",
+ "redirect_url": "/windows/security/",
"redirect_document_id": false
},
-
+ {
+ "source_path": "windows/deploy-windows-cm/upgrade-to-windows-with-configuraton-manager.md",
+ "redirect_url": "/windows/deploy-windows-cm/upgrade-to-windows-with-configuration-manager",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/waas-deployment-rings-windows-10-updates.md",
+ "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/waas-servicing-differences.md",
+ "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/wufb-autoupdate.md",
+ "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/wufb-basics.md",
+ "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/wufb-managedrivers.md",
+ "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/wufb-manageupdate.md",
+ "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/wwufb-onboard.md",
+ "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/feature-update-conclusion.md",
+ "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/waas-wufb-intune.md",
+ "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/feature-update-maintenance-window.md",
+ "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/feature-update-mission-critical.md",
+ "redirect_url": "/windows/deployment/waas-manage-updates-wufb",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-security-baselines.md",
+ "redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/update/change-history-for-update-windows-10.md",
+ "redirect_url": "/windows/deployment/deploy-whats-new",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md",
+ "redirect_url": "/windows/client-management/mdm/policy-csp-admx-wordwheel",
+ "redirect_document_id": true
+
+ },
+ {
+ "source_path": "windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md",
+ "redirect_url": "/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings",
+ "redirect_document_id": true
+
+ },
+ {
+ "source_path": "windows/client-management/mdm/policy-csp-admx-skydrive.md",
+ "redirect_url": "/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools",
+ "redirect_document_id": true
+ }
- ]
+ ]
}
diff --git a/.vscode/settings.json b/.vscode/settings.json
deleted file mode 100644
index f66a07d2e4..0000000000
--- a/.vscode/settings.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "cSpell.words": [
- "emie"
- ]
-}
\ No newline at end of file
diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml
index a1604c10e5..0b2aef014b 100644
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@@ -6,7 +6,7 @@ summary: Microsoft Edge Legacy works with Group Policy and Microsoft Intune to h
metadata:
title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
- keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile
+ keywords: Microsoft Edge Legacy, Windows 10
ms.localizationpriority: medium
ms.prod: edge
author: shortpatti
diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml
index 126a8572e8..96038bd4ce 100644
--- a/browsers/edge/microsoft-edge-faq.yml
+++ b/browsers/edge/microsoft-edge-faq.yml
@@ -15,7 +15,7 @@ metadata:
title: Frequently Asked Questions (FAQ) for IT Pros
summary: |
- Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
+ Applies to: Microsoft Edge on Windows 10
> [!NOTE]
> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/).
@@ -40,7 +40,7 @@ sections:
- question: How do I customize Microsoft Edge and related settings for my organization?
answer: |
- You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](./group-policies/index.yml) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.
+ You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](./group-policies/index.yml) for a list of policies currently available for Microsoft Edge and configuration information. The preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.
- question: Is Adobe Flash supported in Microsoft Edge?
answer: |
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
index d4f9600d8b..10d59733dd 100644
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -201,68 +201,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
You can use both the WMI and XML settings individually or together:
**To turn off Enterprise Site Discovery**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
Off
-
-
-
Turn on Site Discovery XML output
-
Blank
-
-
+
+|Setting name |Option |
+|---------|---------|
+|Turn on Site Discovery WMI output | Off |
+|Turn on Site Discovery XML output | Blank |
**Turn on WMI recording only**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
On
-
-
-
Turn on Site Discovery XML output
-
Blank
-
-
+
+|Setting name |Option |
+|---------|---------|
+|Turn on Site Discovery WMI output | On |
+|Turn on Site Discovery XML output | Blank |
**To turn on XML recording only**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
Off
-
-
-
Turn on Site Discovery XML output
-
XML file path
-
-
+
+|Setting name |Option |
+|---------|---------|
+|Turn on Site Discovery WMI output | Off |
+|Turn on Site Discovery XML output | XML file path |
**To turn on both WMI and XML recording**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
On
-
-
-
Turn on Site Discovery XML output
-
XML file path
-
-
+
+|Setting name |Option |
+|---------|---------|
+|Turn on Site Discovery WMI output | On |
+|Turn on Site Discovery XML output | XML file path |
## Use Configuration Manager to collect your data
After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md
index 634fd7cd91..d04fbf79b9 100644
--- a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md
@@ -60,132 +60,21 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l
### Schema elements
This table includes the elements used by the Enterprise Mode schema.
-
-
The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
-
The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied.
-
A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
-
A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
-
-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.
-
Internet Explorer 11 and Microsoft Edge
-
-
+|Element |Description |Supported browser |
+|---------|---------|---------|
+|<rules> | Root node for the schema. **Example**
<rules version="205"> <emie> <domain>contoso.com</domain> </emie> </rules> |Internet Explorer 11 and Microsoft Edge |
+|<emie> |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. **Example**
<rules version="205"> <emie> <domain>[10.122.34.99]:8080</domain> </emie> </rules> | Internet Explorer 11 and Microsoft Edge |
+|<docMode> |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied. **Example**
<rules version="205"> <docmode> <domain docMode="7">contoso.com</domain> </docmode> </rules> |Internet Explorer 11 |
+|<domain> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. **Example**
<emie> <domain>contoso.com:8080</domain> </emie> |Internet Explorer 11 and Microsoft Edge |
+|<path> |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. **Example**
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge |
### Schema attributes
This table includes the attributes used by the Enterprise Mode schema.
-
-
-
-
-
Attribute
-
Description
-
Supported browser
-
-
-
-
-
<version>
-
Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.
-
Internet Explorer 11 and Microsoft Edge
-
-
-
<exclude>
-
Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
-
+|Attribute|Description|Supported browser|
+|--- |--- |--- |
+|<version>|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
+|<exclude>|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the and elements. **Example**
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|<docMode>|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section. **Example**
<docMode> <domain exclude="false">fabrikam.com <path docMode="7">/products</path> </domain> </docMode>|Internet Explorer 11|
### Using Enterprise Mode and document mode together
If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain.
diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
index 70694a3df2..fcdaa18eee 100644
--- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
@@ -92,194 +92,32 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l
### Updated schema elements
This table includes the elements used by the v.2 version of the Enterprise Mode schema.
-
-
-
-
Element
-
Description
-
Supported browser
-
-
-
-
-
<site-list>
-
A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
-
A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
-
IE8Enterprise. Loads the site in IE8 Enterprise Mode. This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
-
IE7Enterprise. Loads the site in IE7 Enterprise Mode. This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
Important This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
-
IE[x]. Where [x] is the document mode number into which the site loads.
-
Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
-
-
Internet Explorer 11
-
-
-
<open-in>
-
A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
-
IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
-
MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
-
None or not specified. Opens in whatever browser the employee chooses.
-
-
Internet Explorer 11 and Microsoft Edge
-
-
+
+|Element |Description |Supported browser |
+|---------|---------|---------|
+|<site-list> |A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>. **Example**
| Internet Explorer 11 and Microsoft Edge |
+|<site> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element. **Example**
You can also use the self-closing version, <url="contoso.com" />, which also sets:
<compat-mode>default</compat-mode>
<open-in>none</open-in>
| Internet Explorer 11 and Microsoft Edge |
+|<compat-mode> |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. **Example**
**IE8Enterprise.** Loads the site in IE8 Enterprise Mode. This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
**IE7Enterprise.** Loads the site in IE7 Enterprise Mode. This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode
**Important** This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
**IE[x]**. Where [x] is the document mode number into which the site loads.
**Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
|Internet Explorer 11 |
+|<open-in> |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10. **Examples**
IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
None or not specified. Opens in whatever browser the employee chooses.
| Internet Explorer 11 and Microsoft Edge |
### Updated schema attributes
The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
-
-
-
-
Attribute
-
Description
-
Supported browser
-
-
-
-
-
allow-redirect
-
A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
-
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
-
Internet Explorer 11 and Microsoft Edge
-
-
-
version
-
Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.
-
Internet Explorer 11 and Microsoft Edge
-
-
-
url
-
Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
- Note
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.
-
-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.
-
Internet Explorer 11 and Microsoft Edge
-
-
+|Attribute|Description|Supported browser|
+|---------|---------|---------|
+|allow-redirect|A boolean attribute of the element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser). **Example**
In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.| Internet Explorer 11 and Microsoft Edge|
+|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL. **Note** Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). **Example**
In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
### Deprecated attributes
These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
-
-
-
-
Deprecated attribute
-
New attribute
-
Replacement example
-
-
-
-
-
<forceCompatView>
-
<compat-mode>
-
Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
-
-
-
<docMode>
-
<compat-mode>
-
Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
-
-
-
<doNotTransition>
-
<open-in>
-
Replace <doNotTransition="true"> with <open-in>none</open-in>
<site url="contoso.com/about"> <compat-mode>IE7Enterprise</compat-mode> </site>|
While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index f358312bbc..be03e1819a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,7 +1,7 @@
---
ms.localizationpriority: medium
title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
-description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
+description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10.
ms.mktglfcycl: deploy
ms.prod: ie11
ms.sitesec: library
@@ -18,7 +18,7 @@ ms.author: dansimp
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
+This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10.
## April 2017
|New or changed topic | Description |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 65fbb8eaaf..8cef068687 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -63,17 +63,17 @@ Data is collected on the configuration characteristics of IE and the sites it br
|Data point |IE11 |IE10 |IE9 |IE8 |Description |
|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
-|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
-|Domain | X | X | X | X |Top-level domain of the browsed site. |
-|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
-|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
-|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
-|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
-|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
-|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
-|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
-|Number of visits | X | X | X | X |Number of times a site has been visited. |
-|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
+|URL | ✔️ | ✔️ | ✔️ | ✔️ |URL of the browsed site, including any parameters included in the URL. |
+|Domain | ✔️ | ✔️ | ✔️ | ✔️ |Top-level domain of the browsed site. |
+|ActiveX GUID | ✔️ | ✔️ | ✔️ | ✔️ |GUID of the ActiveX controls loaded by the site. |
+|Document mode | ✔️ | ✔️ | ✔️ | ✔️ |Document mode used by IE for a site, based on page characteristics. |
+|Document mode reason | ✔️ | ✔️ | | |The reason why a document mode was set by IE. |
+|Browser state reason | ✔️ | ✔️ | | |Additional information about why the browser is in its current state. Also called, browser mode. |
+|Hang count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser hung. |
+|Crash count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser crashed. |
+|Most recent navigation failure (and count) | ✔️ | ✔️ | ✔️ | ✔️ |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
+|Number of visits | ✔️ | ✔️ | ✔️ | ✔️ |Number of times a site has been visited. |
+|Zone | ✔️ | ✔️ | ✔️ | ✔️ |Zone used by IE to browse sites, based on browser settings. |
>**Important** By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
@@ -205,68 +205,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
You can use both the WMI and XML settings individually or together:
**To turn off Enterprise Site Discovery**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
Off
-
-
-
Turn on Site Discovery XML output
-
Blank
-
-
+
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|Off|
+|Turn on Site Discovery XML output|Blank|
**Turn on WMI recording only**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
On
-
-
-
Turn on Site Discovery XML output
-
Blank
-
-
+
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|On|
+|Turn on Site Discovery XML output|Blank|
**To turn on XML recording only**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
Off
-
-
-
Turn on Site Discovery XML output
-
XML file path
-
-
+
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|Off|
+|Turn on Site Discovery XML output|XML file path|
-To turn on both WMI and XML recording
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
On
-
-
-
Turn on Site Discovery XML output
-
XML file path
-
-
+**To turn on both WMI and XML recording**
+
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|On|
+|Turn on Site Discovery XML output|XML file path|
## Use Configuration Manager to collect your data
After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 6832c2797b..8ee8fbf055 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -65,162 +65,24 @@ The following is an example of the Enterprise Mode schema v.1. This schema can r
### Schema elements
This table includes the elements used by the Enterprise Mode schema.
-
The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
-
The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied.
-
A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
-
A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
-
+|Element |Description |Supported browser |
+|---------|---------|---------|
+|<rules> | Root node for the schema. **Example**
<rules version="205"> <emie> <domain>contoso.com</domain> </emie> </rules> |Internet Explorer 11 and Microsoft Edge |
+|<emie> |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. **Example**
<rules version="205"> <emie> <domain>[10.122.34.99]:8080</domain> </emie> </rules> | Internet Explorer 11 and Microsoft Edge |
+|<docMode> |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied. **Example**
<rules version="205"> <docmode> <domain docMode="7">contoso.com</domain> </docmode> </rules> |Internet Explorer 11 |
+|<domain> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. **Example**
<emie> <domain>contoso.com:8080</domain> </emie> |Internet Explorer 11 and Microsoft Edge |
+|<path> |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. **Example**
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge |
### Schema attributes
This table includes the attributes used by the Enterprise Mode schema.
-
-
-
-
Attribute
-
Description
-
Supported browser
-
-
-
-
-
version
-
Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.
-
Internet Explorer 11 and Microsoft Edge
-
-
-
exclude
-
Specifies the domain or path excluded from applying Enterprise Mode. This attribute is only supported on the <domain> and <path> elements in the <emie> section. If this attribute is absent, it defaults to false.
-
-
Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
-
-
Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
-
-
+|Attribute|Description|Supported browser|
+|--- |--- |--- |
+|version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
+|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements. **Example**
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section. **Example**
<docMode> <domain exclude="false">fabrikam.com <path docMode="9">/products</path> </domain> </docMode>|Internet Explorer 11|
+|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false. **Example**
Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
+|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. **Example**
Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
### Using Enterprise Mode and document mode together
If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 299c6c093f..825646b237 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -97,197 +97,31 @@ The following is an example of the v.2 version of the Enterprise Mode schema.
### Updated schema elements
This table includes the elements used by the v.2 version of the Enterprise Mode schema.
-
-
-
-
Element
-
Description
-
Supported browser
-
-
-
-
-
<site-list>
-
A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
-
A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
-
IE8Enterprise. Loads the site in IE8 Enterprise Mode. This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
-
IE7Enterprise. Loads the site in IE7 Enterprise Mode. This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
Important This tag replaces the combination of the "forceCompatView"="true" attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
-
IE[x]. Where [x] is the document mode number into which the site loads.
-
Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
-
-
Internet Explorer 11
-
-
-
<open-in>
-
A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
-
IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
-
MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
-
None or not specified. Opens in whatever browser the employee chooses.
-
-
Internet Explorer 11 and Microsoft Edge
-
-
+|Element |Description |Supported browser |
+|---------|---------|---------|
+|<site-list> |A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>. **Example**
| Internet Explorer 11 and Microsoft Edge |
+|<site> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element. **Example**
You can also use the self-closing version, <url="contoso.com" />, which also sets:
<compat-mode>default</compat-mode>
<open-in>none</open-in>
| Internet Explorer 11 and Microsoft Edge |
+|<compat-mode> |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. **Example**
**IE8Enterprise.** Loads the site in IE8 Enterprise Mode. This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
**IE7Enterprise.** Loads the site in IE7 Enterprise Mode. This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode
**Important** This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
**IE[x]**. Where [x] is the document mode number into which the site loads.
**Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
|Internet Explorer 11 |
+|<open-in> |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10. **Examples**
IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
None or not specified. Opens in whatever browser the employee chooses.
| Internet Explorer 11 and Microsoft Edge |
### Updated schema attributes
The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
-
-
-
-
Attribute
-
Description
-
Supported browser
-
-
-
-
-
allow-redirect
-
A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
-
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
-
Internet Explorer 11 and Microsoft Edge
-
-
-
version
-
Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.
-
Internet Explorer 11 and Microsoft Edge
-
-
-
url
-
Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
- Note
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com.
-
-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.
-
Internet Explorer 11 and Microsoft Edge
-
-
+|Attribute|Description|Supported browser|
+|---------|---------|---------|
+|allow-redirect|A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser). **Example**
In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
| Internet Explorer 11 and Microsoft Edge|
+|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL. **Note** Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). **Example**
In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
### Deprecated attributes
These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
-
-
-
-
Deprecated element/attribute
-
New element
-
Replacement example
-
-
-
-
-
forceCompatView
-
<compat-mode>
-
Replace forceCompatView="true" with <compat-mode>IE7Enterprise</compat-mode>
-
-
-
docMode
-
<compat-mode>
-
Replace docMode="IE5" with <compat-mode>IE5</compat-mode>
-
-
-
doNotTransition
-
<open-in>
-
Replace doNotTransition="true" with <open-in>none</open-in>
<site url="contoso.com/about"> <compat-mode>IE7Enterprise</compat-mode> <open-in>IE11</open-in> </site>|
While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 561c0f9983..dfb9b8391c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -33,7 +33,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
## In this guide
|Topic |Description |
|------|------------|
-|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. |
+|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for Windows 10. |
|[System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md) |IE11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. |
|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
@@ -42,7 +42,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
|[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. |
|[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. |
|[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. |
-|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called out-of-date ActiveX control blocking. |
+|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called out-of-date ActiveX control blocking. |
|[Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md) |Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, we’re deprecating document modes.
This means that while IE11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices.
Note For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). |
|[What is the Internet Explorer 11 Blocker Toolkit?](what-is-the-internet-explorer-11-blocker-toolkit.md) |The IE11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. |
|[Missing Internet Explorer Maintenance (IEM) settings for Internet Explorer 11](missing-internet-explorer-maintenance-settings-for-ie11.md) |The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 11 (IEAK 11).
Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy preferences, Administrative Templates (.admx), or the IEAK 11.
Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the Security settings or Group Policy Preferences within the Internet Zone settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 5ea3970866..bebac3ffe6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -39,7 +39,7 @@ Using Enterprise Mode means that you can continue to use Microsoft Edge as your
> [!TIP]
> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
-For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
+For Windows 10, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
## What is Enterprise Mode?
@@ -68,12 +68,12 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
XML file
-The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
+The Enterprise Mode Site List is an XML document that specifies a list of sites, their compatibility mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In IE11, the webpage can also be launched in a specific compatibility mode, so it always renders correctly. Your employees can easily view this site list by typing `about:compat` in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
### Site list xml file
-This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
+This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compatibility mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
```xml
@@ -123,7 +123,7 @@ You can build and manage your Enterprise Mode Site List is by using any generic
### Enterprise Mode Site List Manager
This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
-There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
+There are two versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 1f83558533..227cfc8a46 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,8 +2,23 @@
-## Week of April 26, 2021
+## Week of November 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
+| 11/16/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
+| 11/16/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 11/18/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 11/18/2021 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
+| 11/18/2021 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
+
+
+## Week of October 25, 2021
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 10/28/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 10/28/2021 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
+| 10/28/2021 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified |
diff --git a/education/itadmins.yml b/education/itadmins.yml
index 849c8bb478..2847e59b71 100644
--- a/education/itadmins.yml
+++ b/education/itadmins.yml
@@ -79,7 +79,7 @@ productDirectory:
- url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423
text: Azure information protection deployment acceleration guide
- url: /cloud-app-security/getting-started-with-cloud-app-security
- text: Microsoft Cloud app security
+ text: Microsoft Defender for Cloud Apps
- url: /microsoft-365/compliance/create-test-tune-dlp-policy
text: Office 365 data loss prevention
- url: /microsoft-365/compliance/
@@ -117,4 +117,4 @@ productDirectory:
- url: https://support.office.com/en-us/education
text: Education help center
- url: https://support.office.com/en-us/article/teacher-training-packs-7a9ee74a-8fe5-43d3-bc23-a55185896921
- text: Teacher training packs
\ No newline at end of file
+ text: Teacher training packs
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 2fb2324ddc..66569c4674 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -126,96 +126,23 @@ Table 2 lists the settings in the Device Management node in the Google Admin Con
Table 2. Settings in the Device Management node in the Google Admin Console
-
-
-
-
-
-
-
-
Section
-
Settings
-
-
-
-
-
Network
-
These settings configure the network connections for Chromebook devices and include the following settings categories:
-
-
Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
-
Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
-
VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
-
Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
-
-
-
-
Mobile
-
These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
-
-
Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
-
Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
-
Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
-
Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
-
Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.
-
-
-
-
Chrome management
-
These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
-
-
User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
-
Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
-
Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
-
Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.
-
App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.
These settings configure the network connections for Chromebook devices and include the following settings categories:
**Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
**Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
**VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
**Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network. |
+|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
**Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
**Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
**Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
**Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
**Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider. |
+|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
**User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
**Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
**Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
**Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices
**App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices. |
Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
Table 3. Settings in the Security node in the Google Admin Console
-
-
-
-
-
-
-
-
Section
-
Settings
-
-
-
-
-
Basic settings
-
These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
-
Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.
-
-
-
Password monitoring
-
This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.
-
-
-
API reference
-
This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.
-
-
-
Set up single sign-on (SSO)
-
This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.
-
-
-
Advanced settings
-
This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.
-
-
-
-
-
+|Section|Settings|
+|--- |--- |
+|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA. Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
+|Password monitoring|This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.|
+|API reference|This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.|
+|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
+|Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.|
**Identify locally-configured settings to migrate**
@@ -428,62 +355,14 @@ Table 5 is a decision matrix that helps you decide if you can use only on-premis
Table 5. Select on-premises AD DS, Azure AD, or hybrid
-
-
-
-
-
-
-
-
-
-
If you plan to...
-
On-premises AD DS
-
Azure AD
-
Hybrid
-
-
-
-
-
Use Office 365
-
-
X
-
X
-
-
-
Use Intune for management
-
-
X
-
X
-
-
-
Use Microsoft Endpoint Manager for management
-
X
-
-
X
-
-
-
Use Group Policy for management
-
X
-
-
X
-
-
-
Have devices that are domain-joined
-
X
-
-
X
-
-
-
Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined
-
-
X
-
X
-
-
-
-
-
+|If you plan to...|On-premises AD DS|Azure AD|Hybrid|
+|--- |--- |--- |--- |
+|Use Office 365||✔️|✔️|
+|Use Intune for management||✔️|✔️|
+|Use Microsoft Endpoint Manager for management|✔️||✔️|
+|Use Group Policy for management|✔️||✔️|
+|Have devices that are domain-joined|✔️||✔️|
+|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️|
###
@@ -497,113 +376,17 @@ Table 6 is a decision matrix that lists the device, user, and app management pro
Table 6. Device, user, and app management products and technologies
-
-
-
-
-
-
-
-
-
-
-
-
-
Desired feature
-
Windows provisioning packages
-
Group Policy
-
Configuration Manager
-
Intune
-
MDT
-
Windows Software Update Services
-
-
-
-
-
Deploy operating system images
-
X
-
-
X
-
-
X
-
-
-
-
Deploy apps during operating system deployment
-
X
-
-
X
-
-
X
-
-
-
-
Deploy apps after operating system deployment
-
X
-
X
-
X
-
-
-
-
-
-
Deploy software updates during operating system deployment
-
-
-
X
-
-
X
-
-
-
-
Deploy software updates after operating system deployment
-
X
-
X
-
X
-
X
-
-
X
-
-
-
Support devices that are domain-joined
-
X
-
X
-
X
-
X
-
X
-
-
-
-
Support devices that are not domain-joined
-
X
-
-
-
X
-
X
-
-
-
-
Use on-premises resources
-
X
-
X
-
X
-
-
X
-
-
-
-
Use cloud-based services
-
-
-
-
X
-
-
-
-
-
-
-
+|Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services|
+|--- |--- |--- |--- |--- |--- |--- |
+|Deploy operating system images|✔️||✔️||✔️||
+|Deploy apps during operating system deployment|✔️||✔️||✔️||
+|Deploy apps after operating system deployment|✔️|✔️|✔️||||
+|Deploy software updates during operating system deployment|||✔️||✔️||
+|Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️|
+|Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️||
+|Support devices that are not domain-joined|✔️|||✔️|✔️||
+|Use on-premises resources|✔️|✔️|✔️||✔️||
+|Use cloud-based services||||✔️|||
You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
@@ -665,35 +448,10 @@ It is important that you perform any network infrastructure remediation first be
Table 7. Network infrastructure products and technologies and deployment resources
-
[Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@@ -707,37 +465,10 @@ In the [Plan for Active Directory services](#plan-adservices) section, you deter
Table 8. AD DS, Azure AD and deployment resources
-
[Azure Active Directory documentation](/azure/active-directory/)
[Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)
[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@@ -750,59 +481,13 @@ Table 9 lists the Microsoft management systems and the deployment resources for
Table 9. Management systems and deployment resources
-
[Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
[Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
[Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)|
+|Group Policy|
[Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
[Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"|
+|Configuration Manager|
[Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
[Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))|
+|Intune|
[Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)
[Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263)
[System Center 2012 R2 Configuration Manager & Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
+|MDT|
[MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)
[Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@@ -815,44 +500,11 @@ In this step, you need to configure your management system to deploy the apps to
Table 10. Management systems and app deployment resources
-
[Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
+|Configuration Manager|
[How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10))
[Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))|
+|Intune|
[Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913)
[Manage apps with Microsoft Intune](/mem/intune/)|
If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 9dcdd7ca81..2c43aa28c6 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -20,11 +20,11 @@ manager: dansimp
- Windows 10
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for district deployment
-Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
+Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
> [!NOTE]
> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
@@ -83,7 +83,7 @@ This district configuration has the following characteristics:
* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
-* Use [Intune](/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
+* Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
* Each device supports a one-student-per-device or multiple-students-per-device scenario.
@@ -126,9 +126,9 @@ Office 365 Education allows:
* Students and faculty to use Yammer to collaborate through private social networking.
-* Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
+* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
-For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
+For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
### How to configure a district
@@ -225,80 +225,10 @@ Use the cloud-centric scenario and on-premises and cloud scenario as a guide for
To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
-
-
-
-
-
-
-
-
Method
-
Description
-
-
-
-
-
-
MDT
-
MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
-Select this method when you:
-
-
Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
-
Don’t have an existing AD DS infrastructure.
-
Need to manage devices regardless of where they are (on or off premises).
-
-
-
The advantages of this method are that:
-
-
You can deploy Windows 10 operating systems.
-
You can manage device drivers during initial deployment.
-
You can deploy Windows desktop apps (during initial deployment)
-
It doesn’t require an AD DS infrastructure.
-
It doesn’t have additional infrastructure requirements.
-
MDT doesn’t incur additional cost: it’s a free tool.
-
You can deploy Windows 10 operating systems to institution-owned and personal devices.
-
-
-
The disadvantages of this method are that it:
-
-
-
Can’t manage applications throughout entire application life cycle (by itself).
-
Can’t manage software updates for Windows 10 and apps (by itself).
-
Doesn’t provide antivirus and malware protection (by itself).
-
Has limited scaling to large numbers of users and devices.
-
-
-
-
-
-
-
Microsoft Endpoint Configuration Manager
-
Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
-Select this method when you:
-
-
Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
-
Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
-
Typically deploy Windows 10 to on-premises devices.
-
-
-
The advantages of this method are that:
-
-
You can deploy Windows 10 operating systems.
-
You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
-
You can manage software updates for Windows 10 and apps.
-
You can manage antivirus and malware protection.
-
It scales to large number of users and devices.
-
-
The disadvantages of this method are that it:
-
-
Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
-
Can deploy Windows 10 only to domain-joined (institution-owned devices).
-
Requires an AD DS infrastructure (if the institution does not have AD DS already).
-
-
-
-
-
+|Method|Description|
+|--- |--- |
+|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates. Select this method when you:
Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
Don’t have an existing AD DS infrastructure.
Need to manage devices regardless of where they are (on or off premises). The advantages of this method are that:
You can deploy Windows 10 operating systems
You can manage device drivers during initial deployment.
You can deploy Windows desktop apps (during initial deployment)
It doesn’t require an AD DS infrastructure.
It doesn’t have additional infrastructure requirements.
MDT doesn’t incur additional cost: it’s a free tool.
You can deploy Windows 10 operating systems to institution-owned and personal devices. The disadvantages of this method are that it:
Can’t manage applications throughout entire application life cycle (by itself).
Can’t manage software updates for Windows 10 and apps (by itself).
Doesn’t provide antivirus and malware protection (by itself).
Has limited scaling to large numbers of users and devices.|
+|Microsoft Endpoint Configuration Manager|
Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. Select this method when you:
Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
Typically deploy Windows 10 to on-premises devices. The advantages of this method are that:
You can deploy Windows 10 operating systems.
You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
You can manage software updates for Windows 10 and apps.
You can manage antivirus and malware protection.
It scales to large number of users and devices. The disadvantages of this method are that it:
Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
Can deploy Windows 10 only to domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 2. Deployment methods*
@@ -317,81 +247,10 @@ If you have only one device to configure, manually configuring that one device i
For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
-
-
-
-
-
-
-
-
Method
-
Description
-
-
-
-
-
-
Group Policy
-
Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
-Select this method when you:
-
-
-
Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
-
Want more granular control of device and user settings.
-
Have an existing AD DS infrastructure.
-
Typically manage on-premises devices.
-
Can manage a required setting only by using Group Policy.
-
-
-
The advantages of this method include:
-
-
No cost beyond the AD DS infrastructure.
-
A larger number of settings (compared to Intune).
-
-
-
The disadvantages of this method are that it:
-
-
Can only manage domain-joined (institution-owned devices).
-
Requires an AD DS infrastructure (if the institution does not have AD DS already).
-
Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
-
Has rudimentary app management capabilities.
-
Cannot deploy Windows 10 operating systems.
-
-
-
-
-
Intune
-
Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
-Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
-Select this method when you:
-
-
-
Want to manage institution-owned and personal devices (does not require that the device be domain joined).
-
Don’t need granular control over device and user settings (compared to Group Policy).
-
Don’t have an existing AD DS infrastructure.
-
Need to manage devices regardless of where they are (on or off premises).
-
Want to provide application management for the entire application life cycle.
-
Can manage a required setting only by using Intune.
-
-
-
The advantages of this method are that:
-
-
You can manage institution-owned and personal devices.
-
It doesn’t require that devices be domain joined.
-
It doesn’t require any on-premises infrastructure.
-
It can manage devices regardless of their location (on or off premises).
-
-
The disadvantages of this method are that it:
-
-
Carries an additional cost for Intune subscription licenses.
-
Doesn’t offer granular control over device and user settings (compared to Group Policy).
-
Cannot deploy Windows 10 operating systems.
-
-
-
-
-
-
+|Method|Description|
+|--- |--- |
+|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you
Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
Want more granular control of device and user settings.
Have an existing AD DS infrastructure.
Typically manage on-premises devices.
Can manage a required setting only by using Group Policy. The advantages of this method include:
No cost beyond the AD DS infrastructure.
A larger number of settings (compared to Intune). The disadvantages of this method are that it:
Can only manage domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution does not have AD DS already).
Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
Has rudimentary app management capabilities.
Cannot deploy Windows 10 operating systems.|
+|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD. Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable. Select this method when you:
Want to manage institution-owned and personal devices (does not require that the device be domain joined).
Don’t need granular control over device and user settings (compared to Group Policy).
Don’t have an existing AD DS infrastructure.
Need to manage devices regardless of where they are (on or off premises).
Want to provide application management for the entire application life cycle.
Can manage a required setting only by using Intune. The advantages of this method are that:
You can manage institution-owned and personal devices.
It doesn’t require that devices be domain joined.
It doesn’t require any on-premises infrastructure.
It can manage devices regardless of their location (on or off premises). The disadvantages of this method are that it:
Carries an additional cost for Intune subscription licenses.
Doesn’t offer granular control over device and user settings (compared to Group Policy).
Cannot deploy Windows 10 operating systems.|
*Table 4. Configuration setting management methods*
@@ -410,114 +269,11 @@ For a district, there are many ways to manage apps and software updates. Table 6
Use the information in Table 6 to determine which combination of app and update management products is right for your district.
-
-
-
-
-
-
-
-
Selection
-
Management method
-
-
-
-
-
-
Microsoft Endpoint Configuration Manager
-
Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.
Select this method when you:
-
-
Selected Configuration Manager to deploy Windows 10.
-
Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
-
Want to manage AD DS domain-joined devices.
-
Have an existing AD DS infrastructure.
-
Typically manage on-premises devices.
-
Want to deploy operating systems.
-
Want to provide application management for the entire application life cycle.
-
-
-
The advantages of this method are that:
-
-
You can deploy Windows 10 operating systems.
-
You can manage applications throughout the entire application life cycle.
-
You can manage software updates for Windows 10 and apps.
-
You can manage antivirus and malware protection.
-
It scales to large numbers of users and devices.
-
-
The disadvantages of this method are that it:
-
-
Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
-
Carries an additional cost for Windows Server licenses and the corresponding server hardware.
-
Can only manage domain-joined (institution-owned devices).
-
Requires an AD DS infrastructure (if the institution does not have AD DS already).
-
Typically manages on-premises devices (unless devices through VPN or DirectAccess).
-
-
-
-
-
-
Intune
-
Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
-Select this method when you:
-
-
Selected MDT only to deploy Windows 10.
-
Want to manage institution-owned and personal devices that are not domain joined.
-
Want to manage Azure AD domain-joined devices.
-
Need to manage devices regardless of where they are (on or off premises).
-
Want to provide application management for the entire application life cycle.
-
-
The advantages of this method are that:
-
-
You can manage institution-owned and personal devices.
-
It doesn’t require that devices be domain joined.
-
It doesn’t require on-premises infrastructure.
-
It can manage devices regardless of their location (on or off premises).
-
You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
-
-
The disadvantages of this method are that it:
-
-
Carries an additional cost for Intune subscription licenses.
-
Cannot deploy Windows 10 operating systems.
-
-
-
-
-
-
Microsoft Endpoint Manager and Intune (hybrid)
-
Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
-Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
-Select this method when you:
-
-
Selected Microsoft Endpoint Manager to deploy Windows 10.
-
Want to manage institution-owned and personal devices (does not require that the device be domain joined).
-
Want to manage domain-joined devices.
-
Want to manage Azure AD domain-joined devices.
-
Have an existing AD DS infrastructure.
-
Want to manage devices regardless of their connectivity.
-
Want to deploy operating systems.
-
Want to provide application management for the entire application life cycle.
-
-
The advantages of this method are that:
-
-
You can deploy operating systems.
-
You can manage applications throughout the entire application life cycle.
-
You can scale to large numbers of users and devices.
-
You can support institution-owned and personal devices.
-
It doesn’t require that devices be domain joined.
-
It can manage devices regardless of their location (on or off premises).
-
-
The disadvantages of this method are that it:
-
-
Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
-
Carries an additional cost for Windows Server licenses and the corresponding server hardware.
-
Carries an additional cost for Intune subscription licenses.
-
Requires an AD DS infrastructure (if the institution does not have AD DS already).
-
-
-
-
-
-
+|Selection|Management method|
+|--- |--- |
+|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
Selected Configuration Manager to deploy Windows 10.
Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
Want to manage AD DS domain-joined devices.
Have an existing AD DS infrastructure.
Typically manage on-premises devices.
Want to deploy operating systems.
Want to provide application management for the entire application life cycle. The advantages of this method are that:
You can deploy Windows 10 operating systems.
You can manage applications throughout the entire application life cycle.
You can manage software updates for Windows 10 and apps.
You can manage antivirus and malware protection.
It scales to large numbers of users and devices. The disadvantages of this method are that it:
Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
Carries an additional cost for Windows Server licenses and the corresponding server hardware.
Can only manage domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution does not have AD DS already).
Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD. Select this method when you:
Selected MDT only to deploy Windows 10.
Want to manage institution-owned and personal devices that are not domain joined.
Want to manage Azure AD domain-joined devices.
Need to manage devices regardless of where they are (on or off premises).
Want to provide application management for the entire application life cycle. The advantages of this method are that:
You can manage institution-owned and personal devices.
It doesn’t require that devices be domain joined.
It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition). The disadvantages of this method are that it:
Carries an additional cost for Intune subscription licenses.
Cannot deploy Windows 10 operating systems.|
+|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune. Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. Select this method when you:
Selected Microsoft Endpoint Manager to deploy Windows 10.
Want to manage institution-owned and personal devices (does not require that the device be domain joined).
Want to manage domain-joined devices.
Want to manage Azure AD domain-joined devices.
Have an existing AD DS infrastructure.
Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
Want to provide application management for the entire application life cycle. The advantages of this method are that:
You can deploy operating systems.
You can manage applications throughout the entire application life cycle.
You can scale to large numbers of users and devices.
You can support institution-owned and personal devices.
It doesn’t require that devices be domain joined.
It can manage devices regardless of their location (on or off premises). The disadvantages of this method are that it:
Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
Carries an additional cost for Windows Server licenses and the corresponding server hardware.
Carries an additional cost for Intune subscription licenses.
Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 6. App and update management products*
@@ -683,7 +439,7 @@ Now that you have created your new Office 365 Education subscription, add the do
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
> [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
+> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
@@ -695,7 +451,7 @@ You will always want faculty and students to join the Office 365 tenant that you
> [!NOTE]
> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
-By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@@ -714,7 +470,7 @@ To reduce your administrative effort, automatically assign Office 365 Education
> [!NOTE]
> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
-Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@@ -887,7 +643,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|-------|---------------------------------------------|
|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).|
|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
-|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Windows PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
*Table 12. AD DS bulk-import account methods*
@@ -935,7 +691,7 @@ You can use the Microsoft 365 admin center to add individual Office 365 accounts
The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
-For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Microsoft 365](/microsoft-365/enterprise/add-several-users-at-the-same-time).
> [!NOTE]
> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
@@ -949,7 +705,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
> [!NOTE]
> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
-For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
You can add and remove users from security groups at any time.
@@ -966,7 +722,7 @@ You can create email distribution groups based on job role (such as teacher, adm
> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
-For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups).
#### Summary
@@ -1083,63 +839,11 @@ This guide discusses thick image deployment. For information about thin image de
### Select a method to initiate deployment
The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
-
-
-
-
-
-
-
-
-
Method
-
Description and reason to select this method
-
-
-
-
-
-
-
Windows Deployment Services
-
This method:
-
-
Uses diskless booting to initiate LTI and ZTI deployments.
-
Works only with devices that support PXE boot.
-
Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
-
Deploys images more slowly than when you use local media.
-
Requires that you deploy a Windows Deployment Services server.
-
- Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
-
-
-
-
-
Bootable media
-
This method:
-
-
Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
-
Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
-
Deploys images more slowly than when using local media.
-
Requires no additional infrastructure.
-
- Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
-
-
-
-
-
Deployment media
-
This method:
-
-
Initiates LTI or ZTI deployment by booting from a local USB hard disk.
-
Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
-
Deploys images more quickly than network-based methods do.
-
Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
-
- Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
-
-
-
-
-
+|Method|Description and reason to select this method|
+|--- |--- |
+|Windows Deployment Services|This method:
Uses diskless booting to initiate LTI and ZTI deployments.
Works only with devices that support PXE boot.
Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
Deploys images more slowly than when you use local media.
Requires that you deploy a Windows Deployment Services server.
Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.|
+|Bootable media|This method:
Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
Deploys images more slowly than when using local media.
Requires no additional infrastructure.
Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.|
+|Deployment media|This method:
Initiates LTI or ZTI deployment by booting from a local USB hard disk.
Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
Deploys images more quickly than network-based methods do.
Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
*Table 15. Methods to initiate LTI and ZTI deployments*
@@ -1154,91 +858,14 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y
The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16.
-
Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
3. Create MDT applications for Microsoft Store apps
-
Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
-
Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
-
-
For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
-
For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
-
- If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
-If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using Microsoft Endpoint Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
-In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
4. Create MDT applications for Windows desktop apps
-
You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
-If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
-
-Note You can also deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section.
-
-For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).
-
-
-
-
-
-
5. Create task sequences
-
You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
-
-
Deploy 64-bit Windows 10 Education to devices.
-
Deploy 32-bit Windows 10 Education to devices.
-
Upgrade existing devices to 64-bit Windows 10 Education.
-
Upgrade existing devices to 32-bit Windows 10 Education.
-
- Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see Create a New Task Sequence in the Deployment Workbench.
-
-
-
-
-
-
6. Update the deployment share
-
Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
+|Task|Description|
+|--- |--- |
+|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
+|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat. Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
+|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10. Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business. If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps. In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them. To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source). If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps. **Note:** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
+|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
Deploy 64-bit Windows 10 Education to devices.
Deploy 32-bit Windows 10 Education to devices.
Upgrade existing devices to 64-bit Windows 10 Education.
Upgrade existing devices to 32-bit Windows 10 Education.
Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
+|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services. For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
*Table 16. Tasks to configure the MDT deployment share*
@@ -1276,7 +903,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications).
-### Configure Window Deployment Services for MDT
+### Configure Windows Deployment Services for MDT
You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target devices. These boot images can be Windows PE images (which you generated in step 6 in Table 16) or custom images that can deploy operating systems directly to the target devices.
@@ -1298,7 +925,7 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
-### Configure Window Deployment Services for Microsoft Endpoint Configuration Manager
+### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
> [!NOTE]
> If you have already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
@@ -1430,116 +1057,20 @@ Microsoft has several recommended settings for educational institutions. Table 1
Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
-
-
-
-
-
-
-
-
-
Recommendation
-
Description
-
-
-
-
-
-
-
Use of Microsoft accounts
-
You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
-
-**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
-**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
-
-
-
-
-
-
Restrict the local administrator accounts on the devices
-
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
-Intune. Not available.
-
-
-
-
-
-
Manage the built-in administrator account created during device deployment
-
When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
-Group Policy. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.
-Intune. Not available.
-
-
-
-
-
-
Control Microsoft Store access
-
You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
-Group Policy. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.
-Intune. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.
-
-
-
-
-
-
Use of Remote Desktop connections to devices
-
Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
-Group Policy. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
-Intune. Not available.
-
-
-
+|Recommendation|Description|
+|--- |--- |
+|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts. **Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option. ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
+|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices. **Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. **Intune**. Not available.|
+|Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it. **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)). **Intune**. Not available.|
+|Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise. **Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment? **Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.|
+|Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices. **Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections. **Intune**. Not available.|
+|Use of camera|A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices. **Group policy**. Not available. **Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.|
+|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices. **Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)). **Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.|
+|Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices. **Group policy**. Not available. **Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.|
+|Use of location services|Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices. **Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors. **Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.|
+|Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices. **Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop. **Intune**. Not available.|
-
-
Use of camera
-
A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
-Group Policy. Not available.
-Intune. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.
-
-
-
-
-
-
Use of audio recording
-
Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
-Group Policy. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in Editing an AppLocker Policy and Create Your AppLocker Policies.
-Intune. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.
-
-
-
-
-
-
Use of screen capture
-
Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
-Group Policy. Not available.
-Intune. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.
-
-
-
-
-
-
Use of location services
-
Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
-Group Policy. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
-Intune. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.
-
-
-
-
-
-
Changing wallpaper
-
Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.
-Group Policy. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
-Intune. Not available.
-
-
-
-
-
-
Table 17. Recommended settings for educational institutions
@@ -1577,7 +1108,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section.
-You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
+You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
For more information about how to configure Intune to manage your apps, see the following resources:
@@ -1589,9 +1120,9 @@ For more information about how to configure Intune to manage your apps, see the
### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
-You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, Windows 10 Mobile, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
+You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
-For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, Windows 10 Mobile, iOS, and Android. You can deploy the one application to multiple device types.
+For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, iOS, and Android. You can deploy the one application to multiple device types.
> [!NOTE]
> When you configure Configuration Manager and Intune in a hybrid model, you deploy apps by using Configuration Manager as described in this section.
@@ -1607,7 +1138,7 @@ If you selected to manage updates by using Configuration Manager and Intune in a
To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune.
> [!NOTE]
-> You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not Windows 10 Mobile, iOS, or Android).
+> You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not iOS or Android).
For more information about how to configure Intune to manage updates and malware protection, see the following resources:
@@ -1631,7 +1162,7 @@ In this section, you prepared your institution for device management. You identi
## Deploy Windows 10 to devices
-You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10.
+You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms and for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10.
### Prepare for deployment
@@ -1719,205 +1250,23 @@ After the initial deployment, you need to perform certain tasks to maintain the
Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
-
-
-
-
-
-
-
-
-
-
Task and resources
-
Monthly
-
New semester or academic year
-
As required
-
-
-
-
-
Verify that Windows Update is active and current with operating system and software updates.
-For more information about completing this task when you have:
-
Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
-For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options.
-
-
-
x
-
x
-
-
-
-
Refresh the operating system and apps on devices.
-For more information about completing this task, see the following resources:
-
Install new or update existing Microsoft Store apps used in the curriculum.
-Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
-You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
-
-
+|Task and resources|Monthly|New semester or academic year|As required|
+|--- |--- |--- |--- |
+|Verify that Windows Update is active and current with operating system and software updates. For more information about completing this task when you have:
Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new). Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
+|Verify that Windows Defender is active and current with malware Security intelligence. For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️|
+|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found. For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
+|Download and approve updates for Windows 10, apps, device driver, and other software. For more information, see:
[Manage updates by using Intune](#manage-updates-by-using-intune)
[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
+|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business). For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|
+|Refresh the operating system and apps on devices. For more information about completing this task, see the following resources:
[Prepare for deployment](#prepare-for-deployment)
[Capture the reference image](#capture-the-reference-image)
[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum. For more information, see:
[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Install new or update existing Microsoft Store apps used in the curriculum. Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download. You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure). For more information about how to:
Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure). For more information about how to:
Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure). For more information about how to:
Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure). For more information about how to:
Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Create or modify security groups, and manage group membership in Office 365. For more information about how to:
Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️|
+|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365. For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️|
+|Install new student devices. Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||✔️|
*Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
@@ -1936,4 +1285,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
* [Reprovision devices at the end of the school year (video)](./index.md)
* [Use MDT to deploy Windows 10 in a school (video)](./index.md)
-* [Use Microsoft Store for Business in a school environment (video)](./index.md)
\ No newline at end of file
+* [Use Microsoft Store for Business in a school environment (video)](./index.md)
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 318b892188..c0e52a36d6 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -20,23 +20,23 @@ manager: dansimp
- Windows 10
-This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for school deployment
-Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school.
+Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school.
### Plan a typical school configuration
As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
-
+:::image type="content" source="images/deploy-win-10-school-figure1.png" alt-text="A finished school configuration for a Windows client deployment.":::
*Figure 1. Typical school configuration for this guide*
Figure 2 shows the classroom configuration this guide uses.
-
+:::image type="content" source="images/deploy-win-10-school-figure2.png" alt-text="See the classroom configuration used in this Windows client deployment guide.":::
*Figure 2. Typical classroom configuration in a school*
@@ -54,13 +54,15 @@ This school configuration has the following characteristics:
- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
- **Note** In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+ > [!NOTE]
+ > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+
- The devices use Azure AD in Office 365 Education for identity management.
-- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
-- Use [Intune](/mem/intune/), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)?f=255&MSPPError=-2147217396) in AD DS to manage devices.
+- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
+- Use [Intune](/mem/intune/), [Set up Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/set-up), or Group Policy in AD DS to manage devices.
- Each device supports a one-student-per-device or multiple-students-per-device scenario.
- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
-- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot).
+- To start a Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot).
- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education.
Office 365 Education allows:
@@ -78,9 +80,9 @@ Office 365 Education allows:
- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
- Students and faculty to use Office 365 Video to manage videos.
- Students and faculty to use Yammer to collaborate through private social networking.
-- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
+- Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
-For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic).
+For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
## How to configure a school
@@ -90,11 +92,11 @@ The primary tool you will use to deploy Windows 10 in your school is MDT, which
You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
-MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices.
+MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
-The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
The configuration process requires the following devices:
@@ -112,7 +114,7 @@ The high-level process for deploying and configuring devices within individual c
6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
-
+:::image type="content" source="images/deploy-win-10-school-figure3.png" alt-text="See the high level process of configuring Windows client devices in a classroom and the school":::
*Figure 3. How school configuration works*
@@ -136,7 +138,7 @@ When you install the Windows ADK on the admin device, select the following featu
- Windows Preinstallation Environment (Windows PE)
- User State Migration Tool (USMT)
-For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](/mem/configmgr/mdt/lite-touch-installation-guide?f=255&MSPPError=-2147217396#InstallWindowsADK).
+For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](/mem/configmgr/mdt/lite-touch-installation-guide#InstallWindowsADK).
### Install MDT
@@ -144,7 +146,8 @@ Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windo
You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems.
-**Note** If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
+> [!NOTE]
+> If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system.
For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](/mem/configmgr/mdt/use-the-mdt#InstallingaNewInstanceofMDT).
@@ -154,7 +157,7 @@ Now, you’re ready to create the MDT deployment share and populate it with the
MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media).
-For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](/mem/configmgr/mdt/lite-touch-installation-guide?f=255&MSPPError=-2147217396#CreateMDTDeployShare).
+For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](/mem/configmgr/mdt/lite-touch-installation-guide#step-3-configure-mdt-to-create-the-reference-computer).
### Summary
@@ -164,80 +167,63 @@ In this section, you installed the Windows ADK and MDT on the admin device. You
Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
-As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/education/products/office-365-deployment-resources/default.aspx).
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/education/products/office).
### Select the appropriate Office 365 Education license plan
Complete the following steps to select the appropriate Office 365 Education license plan for your school:
-
-
Determine the number of faculty members and students who will use the classroom. Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
-
-
Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Microsoft 365 Apps for enterprise plans). Table 1 lists the advantages and disadvantages of standard and Microsoft 365 Apps for enterprise plans.
-
-Table 1. Comparison of standard and Microsoft Microsoft 365 Apps for enterprise plans
-
-
-
-
-
-
-
-
-
-
Plan
-
Advantages
-
Disadvantages
-
-
-
-
Standard
Less expensive than Microsoft 365 Apps for enterprise
Can be run from any device
No installation necessary
Must have an Internet connection to use it
Does not support all the features found in Microsoft 365 Apps for enterprise
-
Office ProPlus
Only requires an Internet connection every 30 days (for activation)
Supports full set of Office features
Requires installation
Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
+- Determine the number of faculty members and students who will use the classroom. Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
+
+- Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Microsoft 365 Apps for enterprise plans). Table 1 lists the advantages and disadvantages of standard and Microsoft 365 Apps for enterprise plans.
+
+*Table 1. Comparison of standard and Microsoft 365 Apps for enterprise plans*
+
+---
+| Plan | Advantages | Disadvantages |
+| --- | --- | --- |
+| Standard | - Less expensive than Microsoft 365 Apps for enterprise - Can be run from any device - No installation necessary | - Must have an Internet connection to use it - Does not support all the features found in Microsoft 365 Apps for enterprise |
+| Office ProPlus | - Only requires an Internet connection every 30 days (for activation) - Supports full set of Office features | - Requires installation - Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online) |
+
+---
-
-
-
The best user experience is to run Microsoft 365 Apps for enterprise or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
-
-
Determine whether students or faculty need Azure Rights Management. You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see Azure Rights Management.
-
Record the Office 365 Education license plans needed for the classroom in Table 2.
+
+- Determine whether students or faculty need Azure Rights Management.
+
+ You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](/information-protection/).
+
+- Record the Office 365 Education license plans needed for the classroom in Table 2.
*Table 2. Office 365 Education license plans needed for the classroom*
-
-
-
-
-
-
-
-
-
Quantity
-
Plan
-
-
-
-
Office 365 Education for students
-
Office 365 Education for faculty
-
Azure Rights Management for students
-
Azure Rights Management for faculty
-
-
-
-You will use the Office 365 Education license plan information you record in Table 2 in the Create user accounts in Office 365 section of this guide.
+
+---
+| Quantity | Plan |
+| --- | --- |
+| | Office 365 Education for students |
+| | Office 365 Education for faculty |
+| | Azure Rights Management for students |
+| | Azure Rights Management for faculty |
+
+---
+
+You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
### Create a new Office 365 Education subscription
To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions.
-**Note** If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains).
+> [!NOTE]
+> If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains).
#### To create a new Office 365 subscription
1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
- **Note** If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
- - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**.
- - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**.
+ If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options:
+
+ - In Microsoft Edge, select Ctrl+Shift+N. Or, select **More actions** > **New InPrivate window**.
+ - In Internet Explorer, select Ctrl+Shift+P. Or, select **Settings** > **Safety** > **InPrivate Browsing**.
2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account.
3. Click the hyperlink in the email in your school email account.
@@ -245,7 +231,7 @@ To create a new Office 365 Education subscription for use in the classroom, use
### Add domains and subdomains
-Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
+Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
#### To add additional domains and subdomains
@@ -260,7 +246,8 @@ Now that you have created your new Office 365 Education subscription, add the do
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
-**Note** By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
+> [!NOTE]
+> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
@@ -269,42 +256,46 @@ Office 365 uses the domain portion of the user’s email address to know which O
You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365.
-**Note** You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+> [!NOTE]
+> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
-All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up#how-can-i-prevent-students-from-joining-my-existing-office-365-tenant).
*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join*
-
+---
| Action | Windows PowerShell command |
|---------|-----------------------------------------------------------|
| Enable | `Set-MsolCompanySettings -AllowEmailVerifiedUsers $true` |
| Disable | `Set-MsolCompanySettings -AllowEmailVerifiedUsers $false` |
-
-Note If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+---
+
+> [!NOTE]
+> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
### Disable automatic licensing
To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
-**Note** By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
+> [!NOTE]
+> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
-Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up#how-can-i-prevent-students-from-joining-my-existing-office-365-tenant).
*Table 4. Windows PowerShell commands to enable or disable automatic licensing*
-
+---
| Action | Windows PowerShell command |
|---------|-----------------------------------------------------------|
| Enable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $true` |
| Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false` |
-
+---
### Enable Azure AD Premium
-When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
+When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD has different editions, which may include Office 365 Education. For more information, see [Introduction to Azure Active Directory Tenants](/microsoft-365/education/deploy/intro-azure-active-directory).
Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
@@ -324,10 +315,10 @@ You can assign Azure AD Premium licenses to the users who need these features. F
You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process.
-For more information about:
+For more information, see:
-- Azure AD editions and the features in each, see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis).
-- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](/previous-versions/azure/azure-services/jj573650(v=azure.100)#create_tenant3).
+- [Azure Active Directory licenses](/azure/active-directory/fundamentals/active-directory-whatis)
+- [Sign up for Azure Active Directory Premium](/azure/active-directory/fundamentals/active-directory-get-started-premium)
### Summary
You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
@@ -344,9 +335,10 @@ Now that you have an Office 365 subscription, you need to determine how you will
In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
-**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396).
+> [!NOTE]
+> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Azure Active Directory](/azure/active-directory/fundamentals/sync-ldap).
-
+:::image type="content" source="images/deploy-win-10-school-figure4.png" alt-text="See the automatic synchronization between Active Directory Directory Services and Azure AD.":::
*Figure 4. Automatic synchronization between AD DS and Azure AD*
@@ -354,9 +346,9 @@ For more information about how to perform this step, see the [Integrate on-premi
### Method 2: Bulk import into Azure AD from a .csv file
-In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Azure AD. The `.csv` file must be in the format that Office 365 specifies.
-
+:::image type="content" source="images/deploy-win-10-school-figure5.png" alt-text="Create a csv file with student information, and import the csv file into Azure AD.":::
*Figure 5. Bulk import into Azure AD from other sources*
@@ -373,7 +365,8 @@ In this section, you selected the method for creating user accounts in your Offi
You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
-**Note** If your institution does not have an on-premises AD DS domain, you can skip this section.
+> [!NOTE]
+> If your institution does not have an on-premises AD DS domain, you can skip this section.
### Select synchronization model
@@ -381,15 +374,15 @@ Before you deploy AD DS and Azure AD synchronization, you need to determine wher
You can deploy the Azure AD Connect tool by using one of the following methods:
-- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
- 
+ :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Azure AD Connect runs on-premises and uses a virtual machine.":::
*Figure 6. Azure AD Connect on premises*
-- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+- **In Azure**: As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
- 
+ :::image type="content" source="images/deploy-win-10-school-figure7.png" alt-text="Azure AD Connect runs on a VM in Azure AD, and uses a VPN gateway on-premises.":::
*Figure 7. Azure AD Connect in Azure*
@@ -401,10 +394,10 @@ In this synchronization model (illustrated in Figure 6), you run Azure AD Connec
#### To deploy AD DS and Azure AD synchronization
-1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-prerequisites/).
+1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-prerequisites).
2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account.
-3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/whatis-hybrid-identity#install-azure-ad-connect).
-4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features).
+3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation).
+4. Configure Azure AD Connect features based on your institution’s requirements. For more information, see [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
@@ -414,7 +407,7 @@ Azure AD Connect should start synchronization immediately. Depending on the numb
#### To verify AD DS and Azure AD synchronization
-1. Open https://portal.office.com in your web browser.
+1. In your web browser, go to [https://portal.office.com](https://portal.office.com).
2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365.
3. In the list view, expand **USERS**, and then click **Active Users**.
4. In the details pane, view the list of users. The list of users should mirror the users in AD DS.
@@ -434,7 +427,8 @@ In this section, you selected your synchronization model, deployed Azure AD Conn
You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS.
-**Note** If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
+> [!NOTE]
+> If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
### Select the bulk import method
@@ -442,14 +436,14 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
*Table 5. AD DS bulk-import account methods*
+---
+| Method | Description and reason to select this method |
+|---|---|
+| **Ldifde.exe** | This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)). |
+| **VBScript** | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx). |
+| **Windows PowerShell** | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Windows PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
-| Method | Description and reason to select this method |
-|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Ldifde.exe | This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)). |
-| VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx). |
-| Windows PowerShell | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
-
-
+---
### Create a source file that contains the user and group accounts
@@ -457,26 +451,27 @@ After you have selected your user and group account bulk import method, you’re
*Table 6. Source file format for each bulk import method*
+---
+| Method | Source file format |
+|---|---|
+| **Ldifde.exe** | Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)). |
+| **VBScript** | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx) |
+| **Windows PowerShell** | Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
-| Method | Source file format |
-|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Ldifde.exe | Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)). |
-| VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)). |
-| Windows PowerShell | Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
-
-
+---
### Import the user accounts into AD DS
With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
-**Note** Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
+> [!NOTE]
+> Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
For more information about how to import user accounts into AD DS by using:
-- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).
-- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)).
-- Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
+- Ldifde.exe: See [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).
+- VBScript: See [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx).
+- Windows PowerShell: See [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
### Summary
@@ -494,23 +489,26 @@ You can use the Microsoft 365 admin center to add individual Office 365 accounts
The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
-For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](/microsoft-365/enterprise/add-several-users-at-the-same-time).
-**Note** If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
+> [!NOTE]
+> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
-The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365.
+The email accounts are assigned temporary passwords upon creation. Communicate these temporary passwords to your users before they can sign in to Office 365.
### Create Office 365 security groups
Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
-**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> [!NOTE]
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
-For information about creating security groups, see [Create and manage Microsoft 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+For information about creating security groups, see [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups).
You can add and remove users from security groups at any time.
-**Note** Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect.
+> [!NOTE]
+> Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect.
### Create email distribution groups
@@ -518,9 +516,10 @@ Microsoft Exchange Online uses an email distribution group as a single email rec
You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
-**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
+> [!NOTE]
+> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
-For information about how to create security groups, see [Create and manage Microsoft 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+For information about how to create security groups, see [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups).
### Summary
@@ -545,44 +544,48 @@ Microsoft Store for Business allows you to create your own private portal to man
- Manage apps, app licenses, and updates.
- Distribute apps to your users.
-For more information about Microsoft Store for Business, see [Microsoft Store for Business overview](/microsoft-store/microsoft-store-for-business-overview).
+For more information, see [Microsoft Store for Business overview](/microsoft-store/microsoft-store-for-business-overview).
The following section shows you how to create a Microsoft Store for Business portal and configure it for your school.
### Create and configure your Microsoft Store for Business portal
-To create and configure your Microsoft Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+To create and configure your Microsoft Store for Business portal, use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator.
#### To create and configure a Microsoft Store for Business portal
-1. In Microsoft Edge or Internet Explorer, type `https://microsoft.com/business-store` in the address bar.
-2. On the **Microsoft Store for Business** page, click **Sign in with an organizational account**.
**Note** If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
-3. On the Microsoft Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
-4. On the **Microsoft Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
-5. In the **Welcome to the Microsoft Store for Business** dialog box, click **OK**.
+1. In Microsoft Edge or Internet Explorer, go to [https://microsoft.com/business-store](https://microsoft.com/business-store).
+2. On the **Microsoft Store for Business** page, click **Sign in with an organizational account**.
+
+ If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+
+1. On the Microsoft Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
+2. On the **Microsoft Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
+3. In the **Welcome to the Microsoft Store for Business** dialog box, click **OK**.
After you create the Microsoft Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
*Table 7. Menu selections to configure Microsoft Store for Business settings*
-
-| Menu selection | What you can do in this menu |
-|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Account information | Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Microsoft Store for Business account settings](/microsoft-store/update-microsoft-store-for-business-account-settings). |
-| Device Guard signing | Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). |
-| LOB publishers | Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps). |
-| Management tools | Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool). |
-| Offline licensing | Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](/microsoft-store/apps-in-microsoft-store-for-business#licensing-model). |
+---
+| Menu selection | What you can do in this menu |
+|---|---|
+| Account information | Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure portal. For more information, see [Update Microsoft Store for Business account settings](/microsoft-store/update-microsoft-store-for-business-account-settings).|
+| Device Guard signing | Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). |
+| LOB publishers | Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps). |
+| Management tools | Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool). |
+| Offline licensing | Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](/microsoft-store/apps-in-microsoft-store-for-business#licensing-model). |
| Permissions | Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business). |
| Private store | Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store). |
-
+---
### Find, acquire, and distribute apps in the portal
Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Microsoft Store for Business.
-**Note** Your educational institution can now use a credit card to pay for apps in Microsoft Store for Business.
+> [!NOTE]
+> Your educational institution can now use a credit card to pay for apps in Microsoft Store for Business.
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
@@ -598,7 +601,7 @@ You will use the LTI deployment process in MDT to deploy Windows 10 to devices o
### Select the operating systems
-Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of:
+Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If:
- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10.
- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
@@ -614,13 +617,15 @@ Depending on your school’s requirements, you may need any combination of the f
- Deploy new instances of Windows 10 Education so that new devices have a known configuration.
- **Windows 10 Pro Education**. Use this operating system to upgrade existing eligible institution-owned devices running Windows 10 Pro Education, version 1903 or later, to Windows 10 Education using [subscription activation](/windows/deployment/windows-10-subscription-activation).
-**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home.
+> [!NOTE]
+> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home.
-One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
+One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
-**Note** On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
+> [!NOTE]
+> On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
-Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
+Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You cannot standardize personal devices on a specific operating system version or processor architecture.
### Select an image approach
@@ -636,60 +641,14 @@ The MDT deployment process is highly automated, requiring minimal information to
*Table 8. Methods to initiate MDT deployment*
-
-
-
-
-
-
-
-
Method
-
Description and reason to select this method
-
-
-
+---
+| Method | Description and reason to select this method |
+| --- | --- |
+| **Windows Deployment Services** | This method:
- Uses diskless booting to initiate MDT deployment - Works only with devices that support PXE boot. - Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. -Deploys images more slowly than when using local media. - Requires that you deploy a Windows Deployment Services server.
Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. |
+| **Bootable media** | This method:
- Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM. - Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. - Deploys images more slowly than when using local media. - Requires no additional infrastructure.
Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. |
+| **MDT deployment media** | This method:
- Initiates MDT deployment by booting from a local USB hard disk. - Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods. - Deploys images more quickly than network-based methods do. - Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk. |
-
-
Windows Deployment Services
-
This method:
-
-
Uses diskless booting to initiate MDT deployment.
-
Works only with devices that support PXE boot.
-
Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
-
Deploys images more slowly than when using local media.
-
Requires that you deploy a Windows Deployment Services server.
-
-
-Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
-
-
-
-
Bootable media
-
This method:
-
-
Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
-
Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
-
Deploys images more slowly than when using local media.
-
Requires no additional infrastructure.
-
-
-Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
-
-
-
-
MDT deployment media
-
This method:
-
-
Initiates MDT deployment by booting from a local USB hard disk.
-
Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
-
Deploys images more quickly than network-based methods do.
-
Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
-
-
-Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk.
-
-
-
+---
### Summary
@@ -705,105 +664,35 @@ The first step in preparation for Windows 10 deployment is to configure—that i
*Table 9. Tasks to configure the MDT deployment share*
-
+---
+| Task | Description |
+| --- | --- |
+| **1. Import operating systems** | Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench). |
+| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). |
+| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:
- Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10). - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
+| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).
If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
+| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
- Deploy Windows 10 Education 64-bit to devices. - Deploy Windows 10 Education 32-bit to devices. - Upgrade existing devices to Windows 10 Education 64-bit. - Upgrade existing devices to Windows 10 Education 32-bit.
Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). |
+| **6. Update the deployment share.** | Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
-
-
2. Import device drives
-
Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
+---
-Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench).
+### Configure Windows Deployment Services for MDT
-
-
-
-
-
3. Create MDT applications for Microsoft Store apps
-
Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
-
-Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
-
-If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
-
-In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:
4. Create MDT applications for Windows desktop apps
-
-
You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
-
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).
-
-If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
-
-**Note** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
-
-For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).
-
-
-
-
-
-
5. Create task sequences.
-
-
You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will:
-
-
Deploy Windows 10 Education 64-bit to devices.
-
Deploy Windows 10 Education 32-bit to devices.
-
Upgrade existing devices to Windows 10 Education 64-bit.
-
Upgrade existing devices to Windows 10 Education 32-bit.
-
-
-Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).
-
-
-
-
-
-
6. Update the deployment share.
-
-
Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
-
-For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).
-
-
-
-
-### Configure Window Deployment Services for MDT
-
-You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers.
+You can use Windows Deployment Services with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers.
#### To configure Windows Deployment Services for MDT
-1. Set up and configure Windows Deployment Services.
Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources:
+1. Set up and configure Windows Deployment Services.
- - [Windows Deployment Services overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11))
- - The Windows Deployment Services Help file, included in Windows Deployment Services
- - [Windows Deployment Services Getting Started Guide for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj648426(v=ws.11))
+ Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources:
-2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
+ - [Windows Deployment Services overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11))
+ - The Windows Deployment Services Help file, included in Windows Deployment Services
+ - [Windows Deployment Services Getting Started Guide for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj648426(v=ws.11))
+
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
+
+ The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
### Summary
@@ -815,82 +704,19 @@ Before you deploy Windows 10 in your institution, you must prepare for device ma
### Select the management method
-If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases.
+If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is difficult as the number of devices in the school increases.
For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution.
*Table 10. School management methods*
-
-
-
-
-
-
-
-
Method
-
Description
-
-
-
+---
+| Method | Description |
+| --- | --- |
+| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:
- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined). - Want more granular control of device and user settings. - Have an existing AD DS infrastructure. - Typically manage on-premises devices. - Can manage a required setting only by using Group Policy.
The advantages of this method include:
- No cost beyond the AD DS infrastructure. - A larger number of settings.
The disadvantages of this method are:
- Can only manage domain-joined (institution-owned devices). - Requires an AD DS infrastructure (if the institution does not have AD DS already). - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). |
+| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.
Select this method when you:
- Want to manage institution-owned and personal devices (does not require that the device be domain joined). - Don’t require the level of granular control over device and user settings (compared to Group Policy). - Don’t have an existing AD DS infrastructure. - Need to manage devices regardless of where they are (on or off premises). - Can manage a required setting only by using Intune.
The advantages of this method are:
- You can manage institution-owned and personal devices. - It doesn’t require that devices be domain joined. - It doesn’t require any on-premises infrastructure. - It can manage devices regardless of their location (on or off premises).
The disadvantages of this method are:
- Carries an additional cost for subscription. - Doesn’t have a granular level control over device and user settings (compared to Group Policy). |
-
-
Group Policy
-
-Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:
-
-
Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
-
Want more granular control of device and user settings.
-
Have an existing AD DS infrastructure.
-
Typically manage on-premises devices.
-
Can manage a required setting only by using Group Policy.
-
-
-The advantages of this method include:
-
-
No cost beyond the AD DS infrastructure.
-
A larger number of settings (compared to Intune).
-
-The disadvantages of this method are:
-
-
Can only manage domain-joined (institution-owned devices).
-
Requires an AD DS infrastructure (if the institution does not have AD DS already).
-
Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
-
-
-
-
-
-
Intune
-
Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
-Select this method when you:
-
-
Want to manage institution-owned and personal devices (does not require that the device be domain joined).
-
Don’t require the level of granular control over device and user settings (compared to Group Policy).
-
Don’t have an existing AD DS infrastructure.
-
Need to manage devices regardless of where they are (on or off premises).
-
Can manage a required setting only by using Intune.
-
-
-The advantages of this method are:
-
-
You can manage institution-owned and personal devices.
-
It doesn’t require that devices be domain joined.
-
It doesn’t require any on-premises infrastructure.
-
It can manage devices regardless of their location (on or off premises).
-
-
-The disadvantages of this method are:
-
-
Carries an additional cost for subscription.
-
Doesn’t have a granular level control over device and user settings (compared to Group Policy).
-
-
-
-
-
-
-
+---
### Select Microsoft-recommended settings
@@ -898,111 +724,21 @@ Microsoft has several recommended settings for educational institutions. Table 1
*Table 11. Recommended settings for educational institutions*
-
-
-
-
-
-
-
-
Recommendation
-
Description
-
-
-
+---
+| Recommendation | Description |
+| --- | --- |
+| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
**Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.
**Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
+| **Restrict local administrator accounts on the devices** | Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
**Group Policy**: Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732525(v=ws.11)).
**Intune**: Not available |
+| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.
**Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
**Intune**: Not available. |
+| **Control Microsoft Store access** | You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
**Group Policy**: You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP).
**Intune**: You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. |
+| **Use of Remote Desktop connections to devices** | Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
**Group Policy**: You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
**Intune**: Not available. |
+| **Use of camera** | A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
**Group Policy**: Not available.
**Intune**: You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. |
+| **Use of audio recording** | Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
**Group Policy**: You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11))
**Intune**: You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. |
+| **Use of screen capture** | Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
**Group Policy**: Not available.
**Intune**: You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy. |
+| **Use of location services** | Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
**Group Policy**: You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.
**Intune**: You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. |
+| **Changing wallpaper** | Displaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.
**Group Policy**: You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.
**Intune**: Not available. |
-
-
-
Use of Microsoft accounts
-
You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
-Note Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
-Group Policy. Configure the Accounts: Block Microsoft accounts Group Policy setting to use the Users can’t add Microsoft accounts setting option.
-Intune. Enable or disable the camera by using the Allow Microsoft account, Allow adding non-Microsoft accounts manually, and Allow settings synchronization for Microsoft accounts policy settings under the Accounts and Synchronization section of a Windows 10 General Configuration policy.
-
-
-
-
-
Restrict local administrator accounts on the devices
-
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
-Intune. Not available.
-
-
-
-
-
Restrict the local administrator accounts on the devices
-
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
-Intune. Not available.
-
-
-
-
-
Manage the built-in administrator account created during device deployment
-
When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.
-Group Policy. Rename the built-in Administrator account by using the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.
-Intune. Not available.
-
-
-
-
-
Control Microsoft Store access
-
You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
-Group Policy. You can disable the Microsoft Store app by using the Turn off the Store Application Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.
-Intune. You can enable or disable the camera by using the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.
-
-
-
-
-
Use of Remote Desktop connections to devices
-
Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
-Group Policy. You can enable or disable Remote Desktop connections to devices by using the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
-Intune. Not available.
-
-
-
-
-
Use of camera
-
A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
-Group Policy. Not available.
-Intune. You can enable or disable the camera by using the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.
-
-
-
-
-
Use of audio recording
-
Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
-Group Policy. You can disable the Sound Recorder app by using the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in Editing an AppLocker Policy and Create Your AppLocker Policies.
-Intune. You can enable or disable the camera by using the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.
-
-
-
-
-
Use of screen capture
-
Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
-Group Policy. Not available.
-Intune. You can enable or disable the camera by using the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.
-
-
-
-
-
Use of location services
-
Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
-Group Policy. You can enable or disable location services by using the Turn off location Group Policy setting in User Configuration\Windows Components\Location and Sensors.
-Intune. You can enable or disable the camera by using the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.
-
-
-
-
-
Changing wallpaper
-
Displaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.
-Group Policy. You can configure the wallpaper by using the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
-Intune. Not available.
-
-
-
-
-
+---
### Configure settings by using Group Policy
@@ -1018,22 +754,25 @@ For more information about Group Policy, see [Group Policy Planning and Deployme
### Configure settings by using Intune
-Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+Now, you’re ready to configure settings using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
-For more information about Intune, see [Documentation for Microsoft Intune](/intune/).
+For more information about Intune, see [Documentation for Microsoft Intune](/mem/intune/).
#### To configure Intune settings
-1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
-2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/library/dn646962.aspx).
-3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/library/dn646984.aspx).
-4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/library/dn646959.aspx).
+1. Check your Intune licensing. If you have a Microsoft 365 subscription, you may already have Intune. For more information, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses).
+2. Enroll devices in Microsoft Intune. For more information on your enrollment options, see [Intune enrollment methods for Windows devices](/mem/intune/enrollment/windows-enrollment-methods).
+3. Configure the [compliance settings](/mem/intune/protect/device-compliance-get-started) and [configuration settings](/mem/intune/configuration/device-profiles) that meet your school system's needs.
+4. Use the reporting features in Intune to monitor devices. For more information, see [Intune reports](/mem/intune/fundamentals/reports).
### Deploy apps by using Intune
-You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution.
+You can use Intune to deploy apps to Android, iOS/iPadOS, macOS, and Windows devices. You can manage app security and features on organization-owned devices and personal devices.
-For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](/intune/).
+For more information about how to configure Intune to manage your apps, see:
+
+- [What is Microsoft Intune app management?](/mem/intune/apps/app-management)
+- [App protection policies overview](/mem/intune/apps/app-protection-policy)
### Summary
@@ -1041,7 +780,7 @@ In this section, you prepared your institution for device management. You determ
## Deploy Windows 10 to devices
-You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10.
+You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms and for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10.
### Prepare for deployment
@@ -1049,6 +788,7 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
*Table 12. Deployment preparation checklist*
+---
| Tasks |
|-------|
| The target devices have sufficient system resources to run Windows 10. |
@@ -1056,14 +796,14 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
| Create an MDT application for each Microsoft Store and Windows desktop app. |
| Notify the students and faculty about the deployment. |
-
-
+---
### Perform the deployment
Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
-**Note** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](/mem/configmgr/mdt/samples-guide).
+> [!NOTE]
+> To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](/mem/configmgr/mdt/samples-guide).
In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
@@ -1076,7 +816,8 @@ In most instances, deployments occur without incident. Only in rare occasions do
After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section.
-**Note** If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+> [!NOTE]
+> If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
#### To set up printers
@@ -1119,167 +860,30 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour
*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
-
-
-
-
-
-
-
-
-
-
Task and resources
-
Monthly
-
New semester or academic year
-
As required
-
-
-
+---
+| Task and resources | Monthly | New semester or academic year | As required |
+| --- | --- | --- | --- |
+| Verify that Windows Update is active and current with operating system and software updates.
For more information about completing this task, see:
- Intune: See [Keep Windows PCs up to date with software updates in Microsoft Intune](https://www.microsoft.com/en-us/insidetrack/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business) - Group Policy: See [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) - Windows Server Update Services (WSUS): See [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services) - Neither Intune, Group Policy, or WSUS: See [Update Windows](https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a). | ✔️ | ✔️ | ✔️ |
+| Verify that Windows Defender is active and current with malware Security intelligence.
For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection) and [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)). | ✔️ | ✔️ | ✔️ |
+| Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
For more information about completing this task, see [Protect my PC from viruses](https://support.microsoft.com/windows/protect-my-pc-from-viruses-b2025ed1-02d5-1e87-ba5f-71999008e026). | ✔️ | ✔️ | ✔️ |
+| Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). | | ✔️ | ✔️ |
+| Refresh the operating system and apps on devices.
For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. | | ✔️ | ✔️ |
+| Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.
For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. | | ✔️ | ✔️ |
+| Install new or update existing Microsoft Store apps that are used in the curriculum.
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. | | ✔️ | ✔️ |
+| Remove unnecessary user accounts (and corresponding licenses) from Office 365.
For more information, see:
- Remove unnecessary user accounts, see [Delete a user from your organization](/microsoft-365/admin/add-users/delete-a-user). - Unassign licenses, see [Add users and assign licenses at the same time](/microsoft-365/admin/add-users/add-users). | | ✔️ | ✔️ |
+| Add new accounts (and corresponding licenses) to Office 365.
For more information, see [Add users and assign licenses at the same time](/microsoft-365/admin/add-users/add-users) and [Assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users). | | ✔️ | ✔️ |
+| Create or modify security groups and manage group membership in Office 365.
For more information, see:
- [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups) - [Add or remove members from Microsoft 365 groups using the admin center](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups) | | ✔️ | ✔️ |
+| Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
For more information, see [Create and manage distribution list groups in Exchange Online](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group in the Microsoft 365 admin center](/microsoft-365/admin/email/create-edit-or-delete-a-security-group) | | ✔️ | ✔️ |
+| Install new student devices
Follow the same steps in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. | | | ✔️ |
-
-
-
Verify that Windows Update is active and current with operating system and software updates.
-For more information about completing this task when you have:
-
Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
Install new or update existing Microsoft Store apps that are used in the curriculum.
-Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
-You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the Deploy apps by using Intune section.
-
-
-
-
X
-
X
-
-
-
-
Remove unnecessary user accounts (and corresponding licenses) from Office 365.
+---
### Summary
-Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified.
+Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified.
## Related resources
-
\ No newline at end of file
+
+- [Try it out: Windows 10 deployment (for educational institutions)](../index.yml)
+- [Try it out: Windows 10 in the classroom](../index.yml)
+- [Chromebook migration guide](/education/windows/chromebook-migration-guide)
diff --git a/education/windows/index.md b/education/windows/index.md
index cf961bfe83..9db6cd7672 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -18,29 +18,63 @@ ms.date: 10/13/2017
##  Learn
-
Windows 10 editions for education customers Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
-
Compare each Windows edition Find out more about the features and functionality we support in each edition of Windows.
+**[Windows 10 editions for education customers](windows-editions-for-education-customers.md)**
+
+Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
+
+**[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)**
+
+Find out more about the features and functionality we support in each edition of Windows.
+
+**[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)**
+
+When you've made your decision, find out how to buy Windows for your school.
##  Plan
-
Deployment recommendations for school IT administrators Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
-Get Minecraft Education Edition Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
-
Take tests in Windows 10 Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
-
Chromebook migration guide Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
+**[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)**
+
+Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
+
+**[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)**
+
+Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
+
+**[Get Minecraft Education Edition](get-minecraft-for-education.md)**
+
+Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
+
+**[Take tests in Windows 10](take-tests-in-windows-10.md)**
+
+Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
+
+**[Chromebook migration guide](chromebook-migration-guide.md)**
+
+Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
##  Deploy
-
Set up Windows devices for education Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
+**[Set up Windows devices for education](set-up-windows-10.md)**
+
+Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
+
+**[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)**
+
+Get step-by-step guidance to help you deploy Windows 10 in a school environment.
+
+**[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)**
+
+Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
+
+**[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)**
+
+Test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
##  Switch
-
+**[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)**
+If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.
## Windows 8.1
@@ -54,9 +88,11 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
Microsoft Store apps Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Windows To Go Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
-## Related topics
+## Related articles
+
- [Microsoft Education documentation and resources](/education)
-- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
+- [Windows for business](https://www.microsoft.com/windows/business)
+- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)
| Component | What it does | Where to find it |
|------------|--|------|
-| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).
If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:
If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.
If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).
See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.|
-| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | The App-V client is automatically installed with Windows 10, version 1607.
To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). |
-| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). |
+| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).
If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:
If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.
If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).
See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.|
+| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | Starting with Windows 10 version 1607, the App-V client is automatically installed.
To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). |
+| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows client](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). |
For more information about these components, see [High Level Architecture for App-V](appv-high-level-architecture.md).
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index 7c11b77a24..62ec6658b4 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -1,5 +1,5 @@
---
-title: High-level architecture for App-V (Windows 10)
+title: High-level architecture for App-V (Windows 10/11)
description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -14,7 +14,7 @@ ms.topic: article
---
# High-level architecture for App-V
->Applies to: Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
Use the following information to simplify your Microsoft Application Virtualization (App-V) deployment.
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index b0daa8e5c6..446fb2362d 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -1,5 +1,5 @@
---
-title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10)
+title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11)
description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index b48c88fe55..2f8a941579 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -1,5 +1,5 @@
---
-title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10)
+title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11)
description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 9a7bb5df47..c7c54d8a32 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -1,5 +1,5 @@
---
-title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10)
+title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11)
description: How to install the Management Server on a Standalone Computer and Connect it to the Database
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index 3ac42e959a..261eb206aa 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -1,5 +1,5 @@
---
-title: Install the Publishing Server on a Remote Computer (Windows 10)
+title: Install the Publishing Server on a Remote Computer (Windows 10/11)
description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index 41fb1e6ffa..f2848972d7 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -1,5 +1,5 @@
---
-title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10)
+title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11)
description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index 9bde5d0531..410d7b4f25 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -1,5 +1,5 @@
---
-title: Install the App-V Sequencer (Windows 10)
+title: Install the App-V Sequencer (Windows 10/11)
description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -14,11 +14,11 @@ ms.topic: article
---
# Install the App-V Sequencer
->Applies to: Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
Use the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. Those devices must be running the App-V client to allow users to interact with virtual applications.
-The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit (Windows ADK).
+The App-V Sequencer is included in the Windows client Assessment and Deployment Kit (Windows ADK).
>[!NOTE]
>The computer that will run the sequencer must not have the App-V client enabled. As a best practice, choose a computer with the same hardware and software configurations as the computers that will run the virtual applications. The sequencing process is resource-intensive, so make sure the computer that will run the Sequencer has plenty of memory, a fast processor, and a fast hard drive.
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 3f38081e58..081235fe4b 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -1,5 +1,5 @@
---
-title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10)
+title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11)
description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -14,7 +14,7 @@ ms.topic: article
---
# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help
->Applies to: Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
## Requirements for using Windows PowerShell cmdlets
@@ -82,7 +82,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
|App-V Sequencer|**Update-Help -Module AppvSequencer**|
|App-V Client|**Update-Help -Module AppvClient**|
-* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started?view=win-mdop2-ps).
+* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started).
## Displaying the help for a Windows PowerShell cmdlet
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index 6375ae29ad..b67604f857 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -1,6 +1,6 @@
---
-title: Maintaining App-V (Windows 10)
-description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure.
+title: Maintaining App-V (Windows 10/11)
+description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@@ -14,9 +14,9 @@ ms.topic: article
---
# Maintaining App-V
->Applies to: Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure.
+After you have deployed App-V for Windows client, you can use the following information to maintain the App-V infrastructure.
## Moving the App-V server
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index 278b757481..102c1d61e6 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -1,5 +1,5 @@
---
-title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10)
+title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10/11)
description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -14,7 +14,7 @@ ms.topic: article
---
# How to manage App-V packages running on a stand-alone computer by using Windows PowerShell
->Applies to: Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
The following sections explain how to perform various management tasks on a stand-alone client computer with Windows PowerShell cmdlets.
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 5333448a99..ab5b11444d 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -1,5 +1,5 @@
---
-title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10)
+title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11)
description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -15,8 +15,7 @@ ms.author: greglin
# How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
-**Applies to**
-- Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
An App-V connection group allows you to run all the virtual applications as a defined set of packages in a single virtual environment. For example, you can virtualize an application and its plug-ins by using separate packages, but run them together in a single connection group.
@@ -70,28 +69,10 @@ This topic explains the following procedures:
2. Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID):
-
+ |Cmdlet|Examples|
+ |--- |--- |
+ |Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
+ |Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
## To allow only administrators to enable connection groups
@@ -103,33 +84,9 @@ This topic explains the following procedures:
2. Run the following cmdlet and parameter:
-
1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin 1|
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 1a1fed1187..0f8cf76315 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -1,5 +1,5 @@
---
-title: Managing Connection Groups (Windows 10)
+title: Managing Connection Groups (Windows 10/11)
description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -15,8 +15,7 @@ ms.author: greglin
# Managing Connection Groups
-**Applies to**
-- Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
Connection groups enable the applications within a package to interact with each other in the virtual environment, while remaining isolated from the rest of the system. By using connection groups, administrators can manage packages independently and can avoid having to add the same application multiple times to a client computer.
@@ -25,50 +24,16 @@ In some previous versions of App-V, connection groups were referred to as Dynami
**In this section:**
-
Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.
-
-
-
-
-
-
-
+|Links|Description|
+|--- |--- |
+|[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|
+|[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.|
+|[How to Create a Connection Group](appv-create-a-connection-group.md)|Explains how to create a new connection group.|
+|[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)|Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.|
+|[How to Delete a Connection Group](appv-delete-a-connection-group.md)|Explains how to delete a connection group.|
+|[How to Publish a Connection Group](appv-publish-a-connection-group.md)|Explains how to publish a connection group.|
+|[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)|Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.|
+[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)|Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.|
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index da8bf8b6cc..7d268f0f29 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -1,6 +1,6 @@
---
-title: Migrating to App-V from a Previous Version (Windows 10)
-description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version.
+title: Migrating to App-V from a Previous Version (Windows 10/11)
+description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@@ -15,10 +15,9 @@ ms.author: greglin
# Migrating to App-V from previous versions
-**Applies to**
-- Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-To migrate from App-V 4.x to App-V for Windows 10, you must upgrade to App-V 5.x first.
+To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first.
## Improvements to the App-V Package Converter
@@ -27,35 +26,9 @@ You can now use the package converter to convert App-V 4.6 packages that contain
You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files’ information is converted and placed within the new package.
-
-
-
-
-
-
-
-
New in App-V for Windows 10
-
Prior to App-V for Windows 10
-
-
-
-
-
New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
-
-
environment variables
-
shortcuts
-
file type associations
-
registry information
-
scripts
-
-
You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.
-
Registry information and scripts included in .osd files associated with a package were not included in package converter output.
-
The package converter would populate the new package with information from all of the .osd files in the source directory.
-
-
-
-
-
+|New in App-V for Windows client|Prior to App-V for Windows 10|
+|--- |--- |
+|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
environment variables
shortcuts
file type associations
registry information
scripts
You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.
The package converter would populate the new package with information from all of the .osd files in the source directory.|
### Example conversion statement
@@ -103,65 +76,10 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\
**In the above example:**
-
-
-
-
-
-
-
-
-
-
These Source directory files…
-
…are converted to these Destination directory files…
-
…and will contain these items
-
Description
-
-
-
-
-
-
X.osd
-
Y.osd
-
Z.osd
-
-
-
X_Config.xml
-
Y_Config.xml
-
Z_Config.xml
-
-
-
Environment variables
-
Shortcuts
-
File type associations
-
Registry information
-
Scripts
-
-
Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
-
In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.
-
-
-
-
X.osd
-
Y.osd
-
-
-
ContosoApp.appv
-
ContosoApp_DeploymentConfig.xml
-
ContosoApp_UserConfig.xml
-
-
-
Environment variables
-
Shortcuts
-
File type associations
-
-
The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
-
In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.
-
-
-
-
-
+|These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description|
+|--- |--- |--- |--- |
+|
X.osd
Y.osd
Z.osd|
X_Config.xml
Y_Config.xml
Z_Config.xml|
Environment variables:
Shortcuts
File type associations
Registry information
Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired. In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.|
+|
X.osd
Y.osd|
ContosoApp.appv
ContosoApp_DeploymentConfig.xml
ContosoApp_UserConfig.xml|
Environment variables
Shortcuts
File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package. In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.|
## Converting packages created using a prior version of App-V
@@ -176,34 +94,11 @@ After you convert an existing package you should test the package prior to deplo
**What to know before you convert existing packages**
-
-
-
-
-
-
-
-
Issue
-
Workaround
-
-
-
-
-
Virtual packages using DSC are not linked after conversion.
Environment variable conflicts are detected during conversion.
-
Resolve any conflicts in the associated .osd file.
-
-
-
Hard-coded paths are detected during conversion.
-
Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.
-
-
-
-
-
+|Issue|Workaround|
+|--- |--- |
+|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).|
+|Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.|
+|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.|
When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
@@ -219,39 +114,12 @@ If a converted package does not open after you convert it, it is also recommende
There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server.
-
-
-
-
+|Task|More Information|
+|--- |--- |
+|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)|
+|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)|
+|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)|
+|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index 0cc6df1e55..69acd8e60e 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -1,5 +1,5 @@
---
-title: How to Modify an Existing Virtual Application Package (Windows 10)
+title: How to Modify an Existing Virtual Application Package (Windows 10/11)
description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -15,8 +15,7 @@ ms.author: greglin
# How to Modify an Existing Virtual Application Package
-**Applies to**
-- Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
This topic explains how to:
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index ad99c8c0b2..552c9efd53 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -1,5 +1,5 @@
---
-title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10)
+title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11)
description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -15,8 +15,7 @@ ms.author: greglin
# How to Modify Client Configuration by Using Windows PowerShell
-**Applies to**
-- Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
Use the following procedure to configure the App-V client configuration.
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index ea80b1f3c8..e3bd963ee4 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -1,5 +1,5 @@
---
-title: How to Move the App-V Server to Another Computer (Windows 10)
+title: How to Move the App-V Server to Another Computer (Windows 10/11)
description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index 91ddd5b656..08dba24e7a 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -1,5 +1,5 @@
---
-title: Operations for App-V (Windows 10)
+title: Operations for App-V (Windows 10/11)
description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -14,7 +14,7 @@ ms.topic: article
---
# Operations for App-V
->Applies to: Windows 10, version 1607
+[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
This section of the Microsoft Application Virtualization (App-V) Administrator’s Guide includes information about the various types of App-V administration and operating tasks that are typically performed by an administrator. This section also includes step-by-step procedures to help you successfully perform those tasks.
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index dba895b3b1..2431493b6c 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -1,5 +1,5 @@
---
-title: Performance Guidance for Application Virtualization (Windows 10)
+title: Performance Guidance for Application Virtualization (Windows 10/11)
description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
author: greg-lindsay
ms.pagetype: mdop, appcompat, virtualization
@@ -15,11 +15,13 @@ ms.author: greglin
# Performance Guidance for Application Virtualization
-**Applies to**
-- Windows 7 SP1
-- Windows 10
-- Server 2012 R2
-- Server 2016
+**Applies to**:
+
+- Windows 7 SP1
+- Windows 10
+- Windows 11
+- Server 2012 R2
+- Server 2016
Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
@@ -33,16 +35,16 @@ You should read and understand the following information before reading this doc
- [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760)
-**Note**
-Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk * review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
+> [!Note]
+> Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk `*`, review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
-To help determine what information is relevant to your environment you should review each section’s brief overview and applicability checklist.
+To help determine what information is relevant to your environment, you should review each section’s brief overview and applicability checklist.
## App-V in stateful\* non-persistent deployments
-This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. A number of conditions must be met and steps followed to provide the optimal user experience.
+This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
Use the information in the following section for more information:
@@ -70,199 +72,97 @@ Use the information in the following section for more information:
### Applicability Checklist
-Deployment Environment
+|Checklist|Deployment Environment|
+|--- |--- |
+||Non-Persistent VDI or RDSH.|
+||User Experience Virtualization (UE-V), other UPM solutions or User Profile Disks (UPD).|
-
-
-
-
-
-
-
-
-
Non-Persistent VDI or RDSH.
-
-
-
-
User Experience Virtualization (UE-V), other UPM solutions or User Profile Disks (UPD).
-
-
-
+|Checklist|Expected Configuration|
+|--- |--- |
+||User Experience Virtualization (UE-V) with the App-V user state template enabled or User Profile Management (UPM) software. Non-UE-V UPM software must be capable of triggering on Login or Process/Application Start and Logoff.|
+||App-V Shared Content Store (SCS) is configured or can be configured.|
-
-Expected Configuration
-
-
-
-
-
-
-
-
-
-
User Experience Virtualization (UE-V) with the App-V user state template enabled or User Profile Management (UPM) software. Non-UE-V UPM software must be capable of triggering on Login or Process/Application Start and Logoff.
-
-
-
-
App-V Shared Content Store (SCS) is configured or can be configured.
-
-
-
-
-
-
-IT Administration
-
-
-
-
-
-
-
-
-
-
Admin may need to update the VM base image regularly to ensure optimal performance or Admin may need to manage multiple images for different user groups.
-
-
-
-
-
+|Checklist|IT Administration|
+|--- |--- |
+||Admin may need to update the VM base image regularly to ensure optimal performance or Admin may need to manage multiple images for different user groups.|
### Usage Scenarios
As you review the two scenarios, keep in mind that these approach the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both.
-
-
-
-
-
-
-
-
Optimized for Performance
-
Optimized for Storage
-
-
-
-
-
To provide the most optimal user experience, this approach leverages the capabilities of a UPM solution and requires additional image preparation and can incur some additional image management overhead.
The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in very costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.
+- **Performance**: To provide the most optimal user experience, this approach uses the capabilities of a UPM solution and requires extra image preparation and can incur some more image management overhead.
-
+ The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article).
+
+- **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.
+
+ The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) (in this article).
### Preparing your Environment
-The following table displays the required steps to prepare the base image and the UE-V or another UPM solution for the approach.
+The following information displays the required steps to prepare the base image and the UE-V or another UPM solution for the approach.
-**Prepare the Base Image**
+#### Prepare the Base Image
-
Configure Preserve User Integrations on Login Registry DWORD.
-
Pre-configure all global-targeted packages for example, Add-AppvClientPackage.
-
Pre-configure all global-targeted connection groups for example, Add-AppvClientConnectionGroup.
-
Pre-publish all global-targeted packages.
-
-
-
-
-
+- **Performance**:
-
+ - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
+ - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
+ - Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
+ - Configure Preserve User Integrations on Login Registry DWORD.
+ - Pre-configure all user and global-targeted packages, for example, **Add-AppvClientPackage**.
+ - Pre-configure all user- and global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**.
+ - Pre-publish all global-targeted packages. Or:
+ - Perform a global publishing/refresh.
+ - Perform a user publishing/refresh.
+ - Unpublish all user-targeted packages.
+ - Delete the following user-Virtual File System (VFS) entries:
-**Configurations** - For critical App-V Client configurations and for a little more context and how-to, review the following information:
+ - `AppData\Local\Microsoft\AppV\Client\VFS`
+ - `AppData\Roaming\Microsoft\AppV\Client\VFS`
-
When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM).
-
This helps to conserve local storage and minimize disk I/O per second (IOPS).
-
This is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN.
-
-
-
PreserveUserIntegrationsOnLogin
-
-
Configure in the Registry under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ AppV \ Client \ Integration.
-
Create the DWORD value PreserveUserIntegrationsOnLogin with a value of 1.
-
Restart the App-V client service or restart the computer running the App-V Client.
-
-
If you have not pre-configured (Add-AppvClientPackage) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then re-integrate*.
-
For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
-
If you don’t plan to pre-configure every available user package in the base image, use this setting.
-
-
-
MaxConcurrentPublishingRefresh
-
-
Configure in the Registry under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ AppV \ Client \ Publishing.
-
Create the DWORD value MaxConcurrentPublishingrefresh with the desired maximum number of concurrent publishing refreshes.
-
The App-V client service and computer do not need to be restarted.
-
-
This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit.
-
Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.
-
If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time.
-
-
-
+- **Storage**:
-
+ - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
+ - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
+ - Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the
+ App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
+ - Configure Preserve User Integrations on Login Registry DWORD.
+ - Pre-configure all global-targeted packages, for example, **Add-AppvClientPackage**.
+ - Pre-configure all global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**.
+ - Pre-publish all global-targeted packages.
+
+#### Configurations
+
+For critical App-V Client configurations and for a little more context and how-to, review the following configuration settings:
+
+- **Shared Content Store (SCS) Mode**: When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM). This helps to conserve local storage and minimize disk I/O per second (IOPS).
+
+ This setting is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN.
+
+ - Configurable in Windows PowerShell: `Set-AppvClientConfiguration -SharedContentStoreMode 1`
+ - Configurable with Group Policy: See [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
+
+- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*.
+
+ For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
+
+ If you don’t plan to pre-configure every available user package in the base image, use this setting.
+
+ - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Integration`.
+ - Create the DWORD value **PreserveUserIntegrationsOnLogin** with a value of 1.
+ - Restart the App-V client service or restart the computer running the App-V Client.
+
+- **MaxConcurrentPublishingRefresh**: This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit.
+
+ Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.
+
+ If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time.
+
+ - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing`.
+ - Create the DWORD value **MaxConcurrentPublishingrefresh** with the desired maximum number of concurrent publishing refreshes.
+ - The App-V client service and computer do not need to be restarted.
### Configure UE-V solution for App-V Approach
@@ -270,14 +170,14 @@ We recommend using User Experience Virtualization (UE-V) to capture and centrali
For more information, see:
-- [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows)
+- [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows)
- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
-In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).
+In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows).
-**Note**
-Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
+> [!Note]
+> Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V would not currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
@@ -285,12 +185,10 @@ UE-V will only support removing the .lnk file type from the exclusion list in th
- If a user has an application installed on one device but not another with .lnk files enabled.
-**Important**
-This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
+> [!Important]
+> This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
-
-
-Using the Microsoft Registry Editor (regedit.exe), navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **UEV** \\ **Agent** \\ **Configuration** \\ **ExcludedFileTypes** and remove **.lnk** from the excluded file types.
+Using the Microsoft Registry Editor (regedit.exe), navigate to `HKEY\_LOCAL\_MACHINE\Software\Microsoft\UEV\Agent\Configuration\ExcludedFileTypes` and remove `.lnk` from the excluded file types.
## Configure other User Profile Management (UPM) solutions for App-V Approach
@@ -306,12 +204,11 @@ To enable an optimized login experience, for example the App-V approach for the
- Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations.
- **Note**
- App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
-
- App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
-
-
+ > [!Note]
+ >
+ > App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
+ >
+ > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
- Capturing changes to the locations, which constitute the user integrations, prior to session logoff.
@@ -353,84 +250,62 @@ Registry – HKEY\_CURRENT\_USER
This following is a step-by-step walk-through of the App-V and UPM operations and the expectations users should expect.
-
-
-
-
-
-
-
-
Optimized for Performance
-
Optimized for Storage
-
-
-
-
-
After implementing this approach in the VDI/RDSH environment, on first login,
-
-
(Operation) A user-publishing/refresh is initiated. (Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh.
-
(Operation) After the publishing/refresh, the UPM solution captures the user integrations. (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
-
-
On subsequent logins:
-
-
(Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
-
(Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away.
-
(Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements. (Expectation) If there are no entitlement changes, publishing1 will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity* of virtual applications
-
(Operation) UPM solution will capture user integrations again at logoff. (Expectation) Same as previous.
-
-
¹ The publishing operation (Publish-AppVClientPackage) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.
-
After implementing this approach in the VDI/RDSH environment, on first login,
-
-
(Operation) A user-publishing/refresh is initiated. (Expectation)
-
-
If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh.
-
First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).
-
-
-
(Operation) After the publishing/refresh, the UPM solution captures the user integrations. (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state
-
-
On subsequent logins:
-
-
(Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
-
(Operation) Add/refresh must pre-configure all user targeted applications. (Expectation)
-
-
This may increase the time to application availability significantly (on the order of 10’s of seconds).
-
This will increase the publishing refresh time relative to the number and complexity* of virtual applications.
-
-
-
(Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements.
-
-
-
-
+- **Performance**: After implementing this approach in the VDI/RDSH environment, on first login,
+ - (Operation) A user-publishing/refresh is initiated.
+ (Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh.
+
+- (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
+
+ (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
+ **On subsequent logins**:
-
-
-
-
-
-
-
-
Outcome
-
Outcome
-
-
-
-
-
-
-
Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login.
-
The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience.
-
-
Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
-
-
-
+ - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
+ (Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away.
+
+ - (Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements.
+ (Expectation) If there are no entitlement changes, publishing will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity of virtual applications
+ The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.
+
+ - (Operation) UPM solution will capture user integrations again at logoff.
+
+ (Expectation) Same as previous.
+
+ **Outcome**:
+
+ - Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login.
+ - The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience.
+
+- **Storage**: After implementing this approach in the VDI/RDSH environment, on first login
+
+ - (Operation) A user-publishing/refresh is initiated.
+
+ (Expectation):
+
+ - If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh.
+ - First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).
+
+ - (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
+
+ (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
+
+ **On subsequent logins**:
+
+ - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
+ - (Operation) Add/refresh must pre-configure all user targeted applications.
+
+ - (Expectation):
+ - This may increase the time to application availability significantly (on the order of 10’s of seconds).
+ - This will increase the publishing refresh time relative to the number and complexity* of virtual applications.
+
+ - (Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements.
+
+ **Outcome**: Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
+
### Impact to Package Life Cycle
Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (un-published) virtual application packages, it is recommended you update the base image to reflect these changes. To understand why review the following section:
@@ -487,36 +362,9 @@ Server Performance Tuning Guidelines for
Several App-V features facilitate new scenarios or enable new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations.
-
-
-
-
-
-
-
-
-
-
Step
-
Consideration
-
Benefits
-
Tradeoffs
-
-
-
-
-
No Feature Block 1 (FB1, also known as Primary FB)
-
No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
-
-
Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
-
Delay launch until the entire FB1 has been streamed.
-
-
Stream faulting decreases the launch time.
-
Virtual application packages with FB1 configured will need to be re-sequenced.
-
-
-
-
-
+|Step|Consideration|Benefits|Tradeoffs|
+|--- |--- |--- |--- |
+|No Feature Block 1 (FB1, also known as Primary FB)|No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
Delay launch until the entire FB1 has been streamed.|Stream faulting decreases the launch time.|Virtual application packages with FB1 configured will need to be re-sequenced.|
### Removing FB1
@@ -552,37 +400,13 @@ Removing FB1 does not require the original application installer. After completi
"C:\\UpgradedPackages"
- **Note**
- This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
+ > [!Note]
+ > This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
-
+|Step|Considerations|Benefits|Tradeoffs|
+|--- |--- |--- |--- |
+|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies will not install at publishing time.|SxS Assembly dependencies must be pre-installed.|
-
-
-
-
-
-
-
-
-
-
Step
-
Considerations
-
Benefits
-
Tradeoffs
-
-
-
-
-
No SXS Install at Publish (Pre-Install SxS assemblies)
-
Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.
-
The SxS Assembly dependencies will not install at publishing time.
-
SxS Assembly dependencies must be pre-installed.
-
-
-
-
-
### Creating a new virtual application package on the sequencer
@@ -592,33 +416,9 @@ If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is ins
When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
-
-
-
-
-
-
-
-
-
-
Step
-
Considerations
-
Benefits
-
Tradeoffs
-
-
-
-
-
Selectively Employ Dynamic Configuration files
-
The App-V client must parse and process these Dynamic Configuration files.
-
Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.
-
Numerous virtual application packages may already have User- or computer–specific dynamic configurations files.
-
Publishing times will improve if these files are used selectively or not at all.
-
Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.
-
-
-
-
+|Step|Considerations|Benefits|Tradeoffs|
+|--- |--- |--- |--- |
+|Selectively Employ Dynamic Configuration files|The App-V client must parse and process these Dynamic Configuration files.
Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.
Numerous virtual application packages may already have User- or computer–specific dynamic configurations files.|Publishing times will improve if these files are used selectively or not at all.|Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.|
### Disabling a Dynamic Configuration by using Windows PowerShell
@@ -637,39 +437,10 @@ For documentation on How to Apply a Dynamic Configuration, see:
- [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
-
-
-
-
-
-
-
-
-
-
Step
-
Considerations
-
Benefits
-
Tradeoffs
-
-
-
-
-
Account for Synchronous Script Execution during Package Lifecycle.
-
If script collateral is embedded in the package, Add cmdlets may be significantly slower.
-
Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.
-
Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.
-
This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.
-
-
-
Remove Extraneous Virtual Fonts from Package.
-
The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.
Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.
-
-
-
-
-
+|Step|Considerations|Benefits|Tradeoffs|
+|--- |--- |--- |--- |
+|Account for Synchronous Script Execution during Package Lifecycle.|If script collateral is embedded in the package, Add cmdlets may be significantly slower. Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.|Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.|This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.|
+|Remove Extraneous Virtual Fonts from Package.|The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.|Virtual Fonts impact publishing refresh performance.|Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.|
### Determining what virtual fonts exist in the package
@@ -679,15 +450,15 @@ For documentation on How to Apply a Dynamic Configuration, see:
- Open AppxManifest.xml and locate the following:
- ```
+ ```xml
```
- **Note** If there are fonts marked as **DelayLoad**, those will not impact first launch.
-
+ > [!Note]
+ > If there are fonts marked as **DelayLoad**, those will not impact first launch.
### Excluding virtual fonts from the package
@@ -697,7 +468,7 @@ Use the dynamic configuration file that best suits the user scope – deployment
Fonts
-```
+```xml
-->
@@ -157,9 +147,8 @@ The following example shows the details of an certificate renewal response.
```
> [!Note]
-The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
+> The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
-
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md
index 9a5f7e4425..e016a7676e 100644
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@@ -1075,7 +1075,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 44886adee0..c8c467fcc9 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
-The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
+The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
-
+```console
+CM_CellularEntries
+----entryname
+--------AlwaysOn
+--------AuthType
+--------ConnectionType
+--------Desc.langid
+--------Enabled
+--------IpHeaderCompression
+--------Password
+--------SwCompression
+--------UserName
+--------UseRequiresMappingPolicy
+--------Version
+--------DevSpecificCellular
+-----------GPRSInfoAccessPointName
+--------Roaming
+--------OEMConnectionID
+--------ApnId
+--------IPType
+--------ExemptFromDisablePolicy
+--------ExemptFromRoaming
+--------TetheringNAI
+--------IdleDisconnectTimeout
+--------SimIccId
+--------PurposeGroups
+```
***entryname***
Defines the name of the connection.
@@ -44,38 +70,14 @@ The following diagram shows the CM\_CellularEntries configuration service provid
**ConnectionType**
Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
-
-
-
-
-
-
-
-
gprs
-
Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).
-
-
-
cdma
-
Used for CDMA type connections (1XRTT + EVDO).
-
-
-
lte
-
Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.
-
-
-
legacy
-
Used for GPRS + GSM + EDGE + UMTS connections.
-
-
-
lte_iwlan
-
Used for GPRS type connections that may be offloaded over WiFi
-
-
-
iwlan
-
Used for connections that are implemented over WiFi offload only
-
-
-
+|Connection type|Usage|
+|--- |--- |
+|Gprs|Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).|
+|Cdma|Used for CDMA type connections (1XRTT + EVDO).|
+|Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.|
+|Legacy|Used for GPRS + GSM + EDGE + UMTS connections.|
+|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi|
+|Iwlan|Used for connections that are implemented over WiFi offload only|
@@ -269,37 +271,14 @@ Configuring a CDMA connection:
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
-
-
-
-
-
-
-
-
Element
-
Available
-
-
-
-
-
nocharacteristic
-
Yes
-
-
-
characteristic-query
-
Yes
-
-
-
parm-query
-
Yes
-
-
-
+|Element|Available|
+|--- |--- |
+|Nocharacteristic|Yes|
+|Characteristic-query|Yes|
+|Parm-query|Yes|
-
## Related topics
diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md
deleted file mode 100644
index 5680e25242..0000000000
--- a/windows/client-management/mdm/cm-proxyentries-csp.md
+++ /dev/null
@@ -1,184 +0,0 @@
----
-title: CM\_ProxyEntries CSP
-description: Learn how the CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
-ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 06/26/2017
----
-
-# CM\_ProxyEntries CSP
-
-
-The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
-
-> [!NOTE]
-> CM\_ProxyEntries CSP is only supported in Windows 10 Mobile.
-
-> [!IMPORTANT]
-> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
-
-
-The following shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607.
-
-```
-./Vendor/MSFT
-CM_ProxyEntries
-----Entry
---------ConnectionName
---------BypassLocal
---------Enable
---------Exception
---------Password
---------Port
---------Server
---------Type
---------Username
-
-
-./Device/Vendor/MSFT
-Root
-
-
-./Vendor/MSFT
-./Device/Vendor/MSFT
-CM_ProxyEntries
-----Entry
---------ConnectionName
---------BypassLocal
---------Enable
---------Exception
---------Password
---------Port
---------Server
---------Type
---------Username
-```
-**entryname**
-Defines the name of the connection proxy.
-
-Each cellular entry can have only one proxy entry. For example, an Internet connection can have no more than one HTTP proxy specified but it might also have a WAP proxy. If two applications need access to the same APN but one application needs a proxy and the other application cannot have a proxy, two entries can be created with different names for the same APN.
-
-**ConnectionName**
-Specifies the name of the connection the proxy is associated with. This is the APN name of a connection configured using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md).
-
-**BypassLocal**
-Specifies if the proxy should be bypassed when local hosts are accessed by the device.
-
-A value of "0" specifies that the proxy bypass for local hosts is disabled. A value of "1" specifies that the proxy bypass for local hosts is enabled.
-
-**Enable**
-Specifies if the proxy is enabled.
-
-A value of "0" specifies that the proxy is disabled. A value of "1" specifies that the proxy is enabled.
-
-**Exception**
-Specifies a list of external hosts which should bypass the proxy when accessed.
-
-The exception list is a semi-colon delimited list of host names. For example, to bypass the proxy when either MSN or Yahoo is accessed, the value for the Exception list would be "www.msn.com;www.yahoo.com".
-
-**Password**
-Specifies the password used to connect to the proxy.
-
-Passwords are only required for WAP and SOCKS proxies and are not used for HTTP proxies. Queries of this parameter return a string composed of asterisks (\*).
-
-When setting the password, passing in the same string causes the new password to be ignored and does not change the existing password.
-
-**Port**
-Specifies the port number of the proxy server.
-
-**Server**
-Specifies the name of the proxy server.
-
-**Type**
-Specifies the type of proxy connection for this entry.
-
-The following list enumerates the values allowed for the Type parameter.
-
-- "0" = Null proxy
-
-- "1" = HTTP proxy
-
-- "2" = WAP proxy
-
-- "4" = SOCKS4 proxy
-
-- "5" = SOCKS5 proxy
-
-The Null proxy can be used to allow Connection Manager to treat one network as a super set of another network by creating a null proxy from one network to the other.
-
-**UserName**
-Specifies the username used to connect to the proxy.
-
-## Additional information
-
-
-To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection.
-
-```xml
-
-
-
-
-
-
-
-
-```
-
-## Microsoft Custom Elements
-
-
-The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
-
-
-
-
-
-
-
-
-
Element
-
Available
-
-
-
-
-
parm-query
-
Yes
-
-
-
nocharacteristic
-
Yes
-
-
-
characteristic-query
-
Yes
-
Recursive query: Yes
-
Top level query: Yes
-
-
-
-
-
-
-## Related topics
-
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index 1cac56d2f6..b4008efbaf 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -29,7 +29,7 @@ Each policy entry identifies one or more applications in combination with a host
The following shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
-```
+```console
./Vendor/MSFT
CMPolicy
----PolicyName
@@ -42,6 +42,7 @@ CMPolicy
----------------ConnectionID
----------------Type
```
+
***policyName***
Defines the name of the policy.
@@ -83,154 +84,44 @@ For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you hav
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
-
-
-
-
-
-
-
-
Connection type
-
GUID
-
-
-
-
-
GSM
-
{A05DC613-E393-40ad-AA89-CCCE04277CD9}
-
-
-
CDMA
-
{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}
-
-
-
Legacy 3GPP
-
{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}
-
-
-
LTE
-
{2378E547-8312-46A5-905E-5C581E92693B}
-
-
-
Wi-Fi
-
{8568B401-858E-4B7B-B3DF-0FD4927F131B}
-
-
-
Wi-Fi hotspot
-
{072FC7DC-1D93-40D1-9BB0-2114D7D73434}
-
-
-
+|Connection type|GUID|
+|--- |--- |
+|GSM|{A05DC613-E393-40ad-AA89-CCCE04277CD9}|
+|CDMA|{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}|
+|Legacy 3GPP|{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}|
+|LTE|{2378E547-8312-46A5-905E-5C581E92693B}|
+|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
+|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
-
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
-
-
-
-
-
-
-
-
Network type
-
GUID
-
-
-
-
-
GPRS
-
{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}
-
-
-
1XRTT
-
{B1E700AE-A62F-49FF-9BBE-B880C995F27D}
-
-
-
EDGE
-
{C347F8EC-7095-423D-B838-7C7A7F38CD03}
-
-
-
WCDMA UMTS
-
{A72F04C6-9BE6-4151-B5EF-15A53E12C482}
-
-
-
WCDMA FOMA
-
{B8326098-F845-42F3-804E-8CC3FF7B50B4}
-
-
-
1XEVDO
-
{DD42DF39-EBDF-407C-8146-1685416401B2}
-
-
-
1XEVDV
-
{61BF1BFD-5218-4CD4-949C-241CA3F326F6}
-
-
-
HSPA HSDPA
-
{047F7282-BABD-4893-AA77-B8B312657F8C}
-
-
-
HSPA HSUPA
-
{1536A1C6-A4AF-423C-8884-6BDDA3656F84}
-
-
-
LTE
-
{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}
-
-
-
EHRPD
-
{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}
-
-
-
Ethernet 10 Mbps
-
{97D3D1B3-854A-4C32-BD1C-C13069078370}
-
-
-
Ethernet 100 Mbps
-
{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}
-
-
-
Ethernet Gbps
-
{556C1E6B-B8D4-448E-836D-9451BA4CCE75}
-
-
-
-
+|Network type|GUID|
+|--- |--- |
+|GPRS|{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}|
+|1XRTT|{B1E700AE-A62F-49FF-9BBE-B880C995F27D}|
+|EDGE|{C347F8EC-7095-423D-B838-7C7A7F38CD03}|
+|WCDMA UMTS|{A72F04C6-9BE6-4151-B5EF-15A53E12C482}|
+|WCDMA FOMA|{B8326098-F845-42F3-804E-8CC3FF7B50B4}|
+|1XEVDO|{DD42DF39-EBDF-407C-8146-1685416401B2}|
+|1XEVDV|{61BF1BFD-5218-4CD4-949C-241CA3F326F6}|
+|HSPA HSDPA|{047F7282-BABD-4893-AA77-B8B312657F8C}|
+|HSPA HSUPA|{1536A1C6-A4AF-423C-8884-6BDDA3656F84}|
+|LTE|{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}|
+|EHRPD|{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}|
+|Ethernet 10 Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}|
+|Ethernet 100 Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
+|Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}|
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
-
-
-
-
-
-
-
-
Device type
-
GUID
-
-
-
-
-
Cellular device
-
{F9A53167-4016-4198-9B41-86D9522DC019}
-
-
-
Ethernet
-
{97844272-00C7-4572-B20A-D8D861C095F2}
-
-
-
Bluetooth
-
{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}
-
-
-
Virtual
-
{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}
-
-
-
+|Device type|GUID|
+|--- |--- |
+|Cellular device|{F9A53167-4016-4198-9B41-86D9522DC019}|
+|Ethernet|{97844272-00C7-4572-B20A-D8D861C095F2}|
+|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
+|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
@@ -479,36 +370,11 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
-
Top-level query: Yes|
## Related topics
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index 3a5cc913a6..38f3483fda 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -29,7 +29,8 @@ Each policy entry identifies one or more applications in combination with a host
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
-```
+
+```console
./Vendor/MSFT
CMPolicy
----PolicyName
@@ -83,156 +84,44 @@ For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you hav
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
-
-
-
-
-
-
-
-
Connection type
-
GUID
-
-
-
-
-
GSM
-
{A05DC613-E393-40ad-AA89-CCCE04277CD9}
-
-
-
CDMA
-
{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}
-
-
-
Legacy 3GPP
-
{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}
-
-
-
LTE
-
{2378E547-8312-46A5-905E-5C581E92693B}
-
-
-
Wi-Fi
-
{8568B401-858E-4B7B-B3DF-0FD4927F131B}
-
-
-
Wi-Fi hotspot
-
{072FC7DC-1D93-40D1-9BB0-2114D7D73434}
-
-
-
+|Connection type|GUID|
+|--- |--- |
+|GSM|{A05DC613-E393-40ad-AA89-CCCE04277CD9}|
+|CDMA|{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}|
+|Legacy 3GPP|{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}|
+|LTE|{2378E547-8312-46A5-905E-5C581E92693B}|
+|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
+|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
-
-
-
-
-
-
-
-
Network type
-
GUID
-
-
-
-
-
GPRS
-
{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}
-
-
-
1XRTT
-
{B1E700AE-A62F-49FF-9BBE-B880C995F27D}
-
-
-
EDGE
-
{C347F8EC-7095-423D-B838-7C7A7F38CD03}
-
-
-
WCDMA UMTS
-
{A72F04C6-9BE6-4151-B5EF-15A53E12C482}
-
-
-
WCDMA FOMA
-
{B8326098-F845-42F3-804E-8CC3FF7B50B4}
-
-
-
1XEVDO
-
{DD42DF39-EBDF-407C-8146-1685416401B2}
-
-
-
1XEVDV
-
{61BF1BFD-5218-4CD4-949C-241CA3F326F6}
-
-
-
HSPA HSDPA
-
{047F7282-BABD-4893-AA77-B8B312657F8C}
-
-
-
HSPA HSUPA
-
{1536A1C6-A4AF-423C-8884-6BDDA3656F84}
-
-
-
LTE
-
{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}
-
-
-
EHRPD
-
{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}
-
-
-
Ethernet 10Mbps
-
{97D3D1B3-854A-4C32-BD1C-C13069078370}
-
-
-
Ethernet 100Mbps
-
{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}
-
-
-
Ethernet Gbps
-
{556C1E6B-B8D4-448E-836D-9451BA4CCE75}
-
-
-
-
-
+|Network type|GUID|
+|--- |--- |
+|GPRS|{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}|
+|1XRTT|{B1E700AE-A62F-49FF-9BBE-B880C995F27D}|
+|EDGE|{C347F8EC-7095-423D-B838-7C7A7F38CD03}|
+|WCDMA UMTS|{A72F04C6-9BE6-4151-B5EF-15A53E12C482}|
+|WCDMA FOMA|{B8326098-F845-42F3-804E-8CC3FF7B50B4}|
+|1XEVDO|{DD42DF39-EBDF-407C-8146-1685416401B2}|
+|1XEVDV|{61BF1BFD-5218-4CD4-949C-241CA3F326F6}|
+|HSPA HSDPA|{047F7282-BABD-4893-AA77-B8B312657F8C}|
+|HSPA HSUPA|{1536A1C6-A4AF-423C-8884-6BDDA3656F84}|
+|LTE|{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}|
+|EHRPD|{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}|
+|Ethernet 10Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}|
+|Ethernet 100Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
+|Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}|
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
-
-
-
-
-
-
-
-
Device type
-
GUID
-
-
-
-
-
Cellular device
-
{F9A53167-4016-4198-9B41-86D9522DC019}
-
-
-
Ethernet
-
{97844272-00C7-4572-B20A-D8D861C095F2}
-
-
-
Bluetooth
-
{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}
-
-
-
Virtual
-
{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}
-
-
-
-
-
+|Device type|GUID|
+|--- |--- |
+|Cellular device|{F9A53167-4016-4198-9B41-86D9522DC019}|
+|Ethernet|{97844272-00C7-4572-B20A-D8D861C095F2}|
+|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
+|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
@@ -479,36 +368,11 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
-
Top level query: Yes|
## Related topics
diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md
new file mode 100644
index 0000000000..f1bee95c6a
--- /dev/null
+++ b/windows/client-management/mdm/config-lock.md
@@ -0,0 +1,133 @@
+---
+title: Secured-Core Configuration Lock
+description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration.
+manager: dansimp
+keywords: mdm,management,administrator,config lock
+ms.author: v-lsaldanha
+ms.topic: article
+ms.prod: w11
+ms.technology: windows
+author: lovina-saldanha
+ms.date: 10/07/2021
+---
+
+# Secured-Core PC Configuration Lock
+
+**Applies to**
+
+- Windows 11
+
+In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
+
+Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
+
+To summarize, Config Lock:
+
+- Enables IT to “lock” Secured-Core PC features when managed through MDM
+- Detects drift remediates within seconds
+- DOES NOT prevent malicious attacks
+
+## Configuration Flow
+
+After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+
+## System Requirements
+
+Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
+
+## Enabling Config Lock using Microsoft Intune
+
+Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
+
+The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
+
+1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
+1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
+1. Select the following and press **Create**:
+ - **Platform**: Windows 10 and later
+ - **Profile type**: Templates
+ - **Template name**: Custom
+
+ :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
+
+1. Name your profile.
+1. When you reach the Configuration Settings step, select “Add” and add the following information:
+ - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
+ - **Data type**: Integer
+ - **Value**: 1
+ To turn off Config Lock. Change value to 0.
+
+ :::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
+
+1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
+1. You'll not need to set any applicability rules for test purposes.
+1. Review the Configuration and select “Create” if everything is correct.
+1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
+
+ :::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
+
+ :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
+
+## Disabling
+
+Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
+
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
+
+## FAQ
+
+**Can an IT admins disable Config Lock ?**
+ Yes. IT admins can use MDM to turn off Config Lock.
+
+### List of locked policies
+
+|**CSPs** |
+|-----|
+|[BitLocker ](bitlocker-csp.md) |
+|[PassportForWork](passportforwork-csp.md) |
+|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
+|[ApplicationControl](applicationcontrol-csp.md)
+
+
+|**MDM policies** |
+|-----|
+|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) |
+|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) |
+|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) |
+|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) |
+|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) |
+|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
+|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) |
+|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)|
+|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) |
+|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)|
+|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) |
+|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) |
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index d4793c91e6..8c85cf952f 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -33,24 +33,10 @@ Additional lists:
[AccountManagement CSP](accountmanagement-csp.md)
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|packageId|String||
+|contentId|String|Identifies a specific application.|
+|Location|[PackageLocation](#packagelocation)||
+|packageFullName|String||
+|packageIdentityName|String||
+|Architectures|Collection of [ProductArchitectures](#productarchitectures)||
+|packageFormat|[ProductPackageFormat](#productpackageformat)||
+|Platforms|Collection of [ProductPlatform](#productplatform)||
+|fileSize|integer-64|Size of the file.|
+|packageRank|integer-32|Optional|
## InventoryDistributionPolicy
-
-
-
-
-
-
-
-
-
Name
-
Description
-
-
-
-
-
open
-
Open distribution policy - licenses/seats can be assigned/consumed without limit
-
-
-
restricted
-
Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count
-
-
-
-
-
+|Name|Description|
+|--- |--- |
+|Open|Open distribution policy - licenses/seats can be assigned/consumed without limit|
+|Restricted|Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count|
## InventoryEntryDetails
-
-
Identifier used on subsequent requests to get additional content including product descriptions, offline license, and download URLs.
-
-
-
seatCapacity
-
integer-64
-
Total number of seats that have been purchased for an application.
-
-
-
availableSeats
-
integer-64
-
Number of available seats remaining for an application.
-
-
-
lastModified
-
dateTime
-
Specifies the last modified date for an application. Modifications for an application includes updated product details, updates to an application, and updates to the quantity of an application.
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.|
+|seatCapacity|integer-64|Total number of seats that have been purchased for an application.|
+|availableSeats|integer-64|Number of available seats remaining for an application.|
+|lastModified|dateTime|Specifies the last modified date for an application. Modifications for an application include updated product details, updates to an application, and updates to the quantity of an application.|
+|licenseType|[LicenseType](#licensetype)|Indicates whether the set of seats for a given application supports online or offline licensing.|
+|distributionPolicy|[InventoryDistributionPolicy](#inventorydistributionpolicy)||
+|Status|[InventoryStatus](#inventorystatus)||
## InventoryResultSet
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|continuationToken|String|Only available if there is a next page.|
+|inventoryEntries|Collection of [InventoryEntryDetails](#inventoryentrydetails)||
-
## InventoryStatus
-
-
-
-
-
-
-
-
-
Name
-
Description
-
-
-
-
-
active
-
Entry is available in the organization’s inventory.
-
-
-
removed
-
Entry has been removed from the organization’s inventory.
-
-
-
-
-
+|Name|Description|
+|--- |--- |
+|Active|Entry is available in the organization’s inventory.|
+|Removed|Entry has been removed from the organization’s inventory.|
## LicenseType
-
-
-
-
-
-
-
-
-
Name
-
Description
-
-
-
-
-
online
-
Online license application.
-
-
-
offline
-
Offline license application.
-
-
-
-
-
+|Name|Description|
+|--- |--- |
+|Online|Online license application.|
+|Offline|Offline license application.|
## LocalizedProductDetail
Specifies the properties of the localized product.
-
-
-
-
-
-
-
-
-
Name
-
Type
-
Description
-
-
-
-
-
language
-
string
-
Language or fallback language if the specified language is not available.
-
-
-
displayName
-
string
-
Display name of the application.
-
-
-
description
-
string
-
App description provided by developer can be up to 10,000 characters.
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|Language|String|Language or fallback language if the specified language is not available.|
+|displayName|String|Display name of the application.|
+|Description|String|App description provided by developer can be up to 10,000 characters.|
+|Images|Collection of [ProductImage](#productimage)|Artwork and icon associated with the application.|
+|Publisher|[PublisherDetails](#publisherdetails)|Publisher of the application.|
## OfflineLicense
-
Identifies a set of seats associated with an application.
-
-
-
licenseBlob
-
string
-
Base-64 encoded offline license that can be installed via a CSP.
-
-
-
licenseInstanceId
-
string
-
Version of the license.
-
-
-
requestorId
-
string
-
Organization requesting the license.
-
-
-
contentId
-
string
-
Identifies the specific license required by an application.
-
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|productKey|[ProductKey](#productkey)|Identifies a set of seats associated with an application.|
+|licenseBlob|String|Base-64 encoded offline license that can be installed via a CSP.|
+|licenseInstanceId|String|Version of the license.|
+|requestorId|String|Organization requesting the license.|
+|contentId|String|Identifies the specific license required by an application.|
## PackageContentInfo
-
CDN location of the packages. URL expiration is based on the estimated time to download the package.
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|Url|URI|CDN location of the packages. URL expiration is based on the estimated time to download the package.|
-
## ProductArchitectures
-
-
-
-
-
-
-
-
Name
-
-
-
-
-
neutral
-
-
-
arm
-
-
-
x86
-
-
-
x64
-
-
-
-
-
+|Name|
+|--- |
+|Neutral|
+|Arm|
+|x86|
+|x64|
## ProductDetails
+|Name|Type|Description|
+|--- |--- |--- |
+|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.|
+|productType|String|Type of product.|
+|supportedLanguages|Collection of string|The set of localized languages for an application.|
+|publisherId|String|Publisher identifier.|
+|Category|String|Application category.|
+|alternateIds|Collection of [AlternateIdentifier](#alternateidentifier)|The identifiers that can be used to instantiate the installation of on online application.|
+|packageFamilyName|String||
+|supportedPlatforms|Collection of [ProductPlatform](#productplatform)||
-
-
-
## ProductImage
-
Specifies the properties of the product image.
-
-
-
-
-
-
-
-
-
Name
-
Type
-
Description
-
-
-
-
-
location
-
URI
-
Location of the download image.
-
-
-
purpose
-
string
-
Tag for the purpose of the image, e.g. "screenshot" or "logo".
-
-
-
height
-
string
-
Height of the image in pixels.
-
-
-
width
-
string
-
Width of the image in pixels.
-
-
-
caption
-
string
-
Unlimited length.
-
-
-
backgroundColor
-
string
-
Format "#RRGGBB"
-
-
-
foregroundColor
-
string
-
Format "#RRGGBB"
-
-
-
fileSize
-
integer-64
-
Size of the file.
-
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|Location|URI|Location of the download image.|
+|Purpose|String|Tag for the purpose of the image, for example "screenshot" or "logo".|
+|Height|String|Height of the image in pixels.|
+|Width|String|Width of the image in pixels.|
+|Caption|String|Unlimited length.|
+|backgroundColor|String|Format "#RRGGBB"|
+|foregroundColor|String|Format "#RRGGBB"|
+|fileSize|integer-64|Size of the file.|
## ProductKey
-
Specifies the properties of the product key.
-
-
-
-
-
-
-
-
-
Name
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Product identifier that specifies a specific SKU of an application.
-
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|productId|String|Product identifier for an application that is used by the Store for Business.|
+|skuId|String|Product identifier that specifies a specific SKU of an application.|
## ProductPackageDetails
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|frameworkDependencyPackages|Collection of [FrameworkPackageDetails](#frameworkpackagedetails)||
+|packageId|String||
+|contentId|String|Identifies a specific application.|
+|Location|[PackageLocation](#packagelocation)||
+|packageFullName|String|Example, Microsoft.BingTranslator_1.1.10917.2059_x86__8wekyb3d8bbwe|
+|packageIdentityName|String|Example, Microsoft.BingTranslator|
+|Architectures|Collection of [ProductArchitectures](#productarchitectures)|Values {x86, x64, arm, neutral}|
+|packageFormat|[ProductPackageFormat](#productpackageformat)|Extension of the package file.|
+|Platforms|Collection of [ProductPlatform](#productplatform)||
+|fileSize|integer-64|Size of the file.|
+|packageRank|integer-32|Optional|
## ProductPackageFormat
-
-
-
-
+|Name|Type|
+|--- |--- |
+|platformName|String|
+|minVersion|[VersionInfo](#versioninfo)|
+|maxTestedVersion|[VersionInfo](#versioninfo)|
## PublisherDetails
-
Specifies the properties of the publisher details.
-
-
-
-
-
-
-
-
-
Name
-
Type
-
Description
-
-
-
-
-
publisherName
-
string
-
Name of the publisher.
-
-
-
publisherWebsite
-
string
-
Website of the publisher.
-
-
-
-
-
+|Name|Type|Description|
+|--- |--- |--- |
+|publisherName|String|Name of the publisher.|
+|publisherWebsite|String|Website of the publisher.|
## SeatAction
-
+|Name|Type|
+|--- |--- |
+|Major|integer-32|
+|Minor|integer-32|
+|Build|integer-32|
+|Revision|integer-32|
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 73237ce6c0..6f404d4e29 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 08/05/2021
+ms.date: 10/04/2021
---
# Defender CSP
@@ -73,7 +73,7 @@ Defender
--------SupportLogLocation (Added in the next major release of Windows 10)
--------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
--------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
---------DefinitionUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
+--------SecurityIntelligenceUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
--------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release)
----Scan
----UpdateSignature
@@ -124,6 +124,7 @@ Threat category ID.
The data type is integer.
The following table describes the supported values:
+
| Value | Description |
|-------|-----------------------------|
@@ -399,7 +400,7 @@ Supported product status values:
- Service started without any malware protection engine = 1 << 1
- Pending full scan due to threat action = 1 << 2
- Pending reboot due to threat action = 1 << 3
-- ending manual steps due to threat action = 1 << 4
+- ending manual steps due to threat action = 1 << 4
- AV signatures out of date = 1 << 5
- AS signatures out of date = 1 << 6
- No quick scan has happened for a specified period = 1 << 7
@@ -624,7 +625,7 @@ This policy setting controls whether or not exclusions are visible to Local Admi
If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell.
-If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
+If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell.
> [!NOTE]
> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
@@ -722,6 +723,8 @@ Current Channel (Staged): Devices will be offered updates after the monthly grad
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
+
If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
@@ -730,10 +733,12 @@ Supported operations are Add, Delete, Get, Replace.
Valid values are:
- 0: Not configured (Default)
-- 1: Beta Channel - Prerelease
-- 2: Current Channel (Preview)
-- 3: Current Channel (Staged)
-- 4: Current Channel (Broad)
+- 2: Beta Channel - Prerelease
+- 3: Current Channel (Preview)
+- 4: Current Channel (Staged)
+- 5: Current Channel (Broad)
+- 6: Critical- Time Delay
+
More details:
@@ -751,6 +756,8 @@ Current Channel (Staged): Devices will be offered updates after the monthly grad
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
+
If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
@@ -758,19 +765,22 @@ The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
-- 0 - Not configured (Default)
-- 1 - Beta Channel - Prerelease
-- 2 - Current Channel (Preview)
-- 3 - Current Channel (Staged)
-- 4 - Current Channel (Broad)
+- 0: Not configured (Default)
+- 2: Beta Channel - Prerelease
+- 3: Current Channel (Preview)
+- 4: Current Channel (Staged)
+- 5: Current Channel (Broad)
+- 6: Critical- Time Delay
More details:
- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-**Configuration/DefinitionUpdatesChannel**
-Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
+**Configuration/SecurityIntelligenceUpdatesChannel**
+Enable this policy to specify when devices receive daily Microsoft Defender security intelligence (definition) updates during the daily gradual rollout.
+
+Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@@ -781,8 +791,8 @@ Supported operations are Add, Delete, Get, Replace.
Valid Values are:
- 0: Not configured (Default)
-- 3: Current Channel (Staged)
-- 4: Current Channel (Broad)
+- 4: Current Channel (Staged)
+- 5: Current Channel (Broad)
More details:
@@ -830,6 +840,6 @@ Added in Windows 10, version 1803. OfflineScan action starts a Microsoft Defende
Supported operations are Get and Execute.
-## Related topics
+## See also
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index e5da0cdb7b..0880239fe6 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -15,7 +15,7 @@ ms.date: 07/23/2021
# Defender DDF file
-This article shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+This article shows the OMA DM device description framework (DDF) for the Defender configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -1007,5 +1007,4 @@ The XML below is the current version for this CSP.
## See also
-
-[Defender configuration service provider](defender-csp.md)
\ No newline at end of file
+[Defender configuration service provider](defender-csp.md)
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 5337bb0cfd..9466edec32 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,6 +1,6 @@
---
title: DevDetail CSP
-description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server.
+description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server.
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.reviewer:
manager: dansimp
@@ -14,15 +14,16 @@ ms.date: 03/27/2020
# DevDetail CSP
-The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands.
+The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
+For the DevDetail CSP, you can't use the Replace command unless the node already exists.
-The following shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
-```
+The following information shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol isn't supported for this configuration service provider.
+
+```console
.
DevDetail
----URI
@@ -97,24 +98,24 @@ Required. Returns the maximum depth of the management tree that the device suppo
Supported operation is Get.
-This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
+This value is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
**URI/MaxTotLen**
Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
Supported operation is Get.
-This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
+This value is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
**URI/MaxSegLen**
Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
Supported operation is Get.
-This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
+This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
**Ext/Microsoft/MobileID**
-Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
+Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support.
Supported operation is Get.
@@ -131,7 +132,7 @@ Required. Returns the UI screen resolution of the device (example: "480x800
Supported operation is Get.
**Ext/Microsoft/CommercializationOperator**
-Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
+Required. Returns the name of the mobile operator if it exists. Otherwise, it returns 404.
Supported operation is Get.
@@ -158,7 +159,7 @@ Supported operation is Get.
**Ext/Microsoft/DeviceName**
Required. Contains the user-specified device name.
-Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
+Replace operation isn't supported in Windows client or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name doesn't take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
Value type is string.
@@ -171,23 +172,15 @@ The following are the available naming macros:
| Macro | Description | Example | Generated Name |
| -------| -------| -------| -------|
-| %RAND:<# of digits> | Generates the specified number of random digits. | Test%RAND:6% | Test123456|
-| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| Test-Device-%SERIAL% | Test-Device-456|
+| %RAND:<# of digits> | Generates the specified number of random digits. | `Test%RAND:6%` | Test123456|
+| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| `Test-Device-%SERIAL%` | Test-Device-456|
Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
-On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
-
-**Ext/Microsoft/TotalStorage**
-Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
-
-Supported operation is Get.
-
-> [!NOTE]
-> This is only supported in Windows 10 Mobile.
+On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
**Ext/Microsoft/TotalRAM**
Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
@@ -205,30 +198,30 @@ The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
Supported operation is Get.
> [!NOTE]
-> This is not supported in Windows 10 for desktop editions.
+> This isn't supported in Windows 10 for desktop editions.
**Ext/VoLTEServiceSetting**
-Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
+Returns the VoLTE service to on or off. This setting is only exposed to mobile operator OMA-DM servers.
Supported operation is Get.
**Ext/WlanIPv4Address**
-Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
+Returns the IPv4 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA DM servers.
Supported operation is Get.
**Ext/WlanIPv6Address**
-Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the IPv6 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
**Ext/WlanDnsSuffix**
-Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the DNS suffix of the active Wi-Fi connection. This suffix is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
**Ext/WlanSubnetMask**
-Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the subnet mask for the active Wi-Fi connection. This subnet mask is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
@@ -236,17 +229,10 @@ Supported operation is Get.
Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!NOTE]
-> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
+> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you can't parse the content to get any meaningful hardware information.
Supported operation is Get.
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index bd80931f74..b1d7b62247 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -19,24 +19,24 @@ ms.date: 11/15/2017
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
-In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
+With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates.
In particular, Windows 10 provides APIs to enable MDMs to:
- Ensure machines stay up to date by configuring Automatic Update policies.
-- Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device.
-- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up to date is a particular machine.
+- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout.
+- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine.
-This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10.
+This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
-- Configure automatic update policies to ensure devices stay up-to-date.
+- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed).
-- Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested.
-- Approve EULAs on behalf of the end user so update deployment can be automated even for updates with EULAs.
+- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
+- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
-The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
+The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
@@ -48,29 +48,29 @@ The diagram can be roughly divided into three areas:
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
-- The device gets updates from Microsoft Update using client/server protocol, but only downloads and installs updates that are both applicable to the device and approved by IT (right portion of the diagram).
+- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram).
## Getting update metadata using the Server-Server sync protocol
-The Microsoft Update Catalog is huge and contains many updates that are not needed by MDM-managed devices, including updates for legacy software (for example, updates to servers, down-level desktop operating systems, and legacy apps), and a large number of drivers. We recommend that the MDM use the Server-Server sync protocol to get update metadata for updates reported from the client.
+The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client.
-This section describes how this is done. The following diagram shows the server-server sync protocol process.
+This section describes this setup. The following diagram shows the server-server sync protocol process.
-
+:::image type="content" alt-text="mdm server-server sync." source="images/deviceupdateprocess2.png" lightbox="images/deviceupdateprocess2.png":::
MSDN provides much information about the Server-Server sync protocol. In particular:
-- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
-- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
+- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
+- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights:
-- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
-- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
-- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
+- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
+- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
+- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> [!NOTE]
-> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
+> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## Examples of update metadata XML structure and element descriptions
@@ -82,16 +82,16 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData
- **CreationDate** – the date on which this update was created.
- **UpdateType** – The type of update, which could include the following:
- **Detectoid** – if this update identity represents a compatibility logic
- - **Category** – This could represent either of the following:
- - A Product category the update belongs to. For example, Windows, MS office etc.
- - The classification the update belongs to. For example, Drivers, security etc.
+ - **Category** – This element could represent either of the following:
+ - A Product category the update belongs to. For example, Windows, MS office, and so on.
+ - The classification the update belongs to. For example, drivers, security, and so on.
- **Software** – If the update is a software update.
- **Driver** – if the update is a driver update.
- **LocalizedProperties** – represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** – The language code identifier (LCID). For example, en or es.
- **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.”
-- **KBArticleID** – The KB article number for this update that has details regarding the particular update. For example, .
+ - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.”
+- **KBArticleID** – The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`.
## Recommended Flow for Using the Server-Server Sync Protocol
@@ -99,119 +99,156 @@ This section describes a possible algorithm for using the server-server sync pro
First some background:
-- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it is common to all tenants.
-- A metadata sync service can then be implemented that periodically calls server-server sync to pull in metadata for the updates IT cares about.
-- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client if those updates are not already known to the device.
+- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
+- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
+- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
The following procedure describes a basic algorithm for a metadata sync service:
-- Initialization, composed of the following:
- 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about four new definition updates per day, each of which is cumulative).
+- Initialization uses the following steps:
+ a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
- - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB.
+ - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- - Remove updates from the "needed update IDs to fault in" list once they have been brought in.
+ - Remove updates from the "needed update IDs to fault in" list once they've been brought in.
-This provides an efficient way to pull in the information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time you can pull information so IT can see what updates they are approving, or for compliance reports to see what updates are needed but not yet installed.
+These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed.
## Managing updates using OMA DM
-An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented the [Mobile device management](mobile-device-enrollment.md) topic. This section focuses on how to extend that integration to support update management. The key aspects of update management include the following:
+An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information:
-- Configure automatic update policies to ensure devices stay up-to-date.
+- Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed)
-- Specify a per-device update approval list to ensure devices don’t install unapproved updates that have not been tested.
-- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs
+- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
+- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow.
-3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are available. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues.
+3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
-Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates.
+Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md).
### Update policies
-The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
+The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
-The following diagram shows the Update policies in a tree format.
+The following information shows the Update policies in a tree format.
-
+```console
+./Vendor/MSFT
+Policy
+----Config
+--------Update
+-----------ActiveHoursEnd
+-----------ActiveHoursMaxRange
+-----------ActiveHoursStart
+-----------AllowAutoUpdate
+-----------AllowMUUpdateService
+-----------AllowNonMicrosoftSignedUpdate
+-----------AllowUpdateService
+-----------AutoRestartNotificationSchedule
+-----------AutoRestartRequiredNotificationDismissal
+-----------BranchReadinessLevel
+-----------DeferFeatureUpdatesPeriodInDays
+-----------DeferQualityUpdatesPeriodInDays
+-----------DeferUpdatePeriod
+-----------DeferUpgradePeriod
+-----------EngagedRestartDeadline
+-----------EngagedRestartSnoozeSchedule
+-----------EngagedRestartTransitionSchedule
+-----------ExcludeWUDriversInQualityUpdate
+-----------IgnoreMOAppDownloadLimit
+-----------IgnoreMOUpdateDownloadLimit
+-----------PauseDeferrals
+-----------PauseFeatureUpdates
+-----------PauseQualityUpdates
+-----------RequireDeferUpgrade
+-----------RequireUpdateApproval
+-----------ScheduleImminentRestartWarning
+-----------ScheduledInstallDay
+-----------ScheduledInstallTime
+-----------ScheduleRestartWarning
+-----------SetAutoRestartNotificationDisable
+-----------UpdateServiceUrl
+-----------UpdateServiceUrlAlternate
+```
**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
-
The default is 17 (5 PM).
+The default is 17 (5 PM).
**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
-
Supported values are 8-18.
+Supported values are 8-18.
-
The default value is 18 (hours).
+The default value is 18 (hours).
**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article.
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on.
-
The default value is 8 (8 AM).
+The default value is 8 (8 AM).
**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
-- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
+- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart.
+- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart.
- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
+- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 – Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
-
If the policy is not configured, end-users get the default behavior (Auto install and restart).
+If the policy isn't configured, end users get the default behavior (Auto install and restart).
**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not allowed or not configured.
- 1 – Allowed. Accepts updates received through Microsoft Update.
@@ -221,31 +258,31 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
-
Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.
+Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
-- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer.
-
This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
+Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update.
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
+Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 – Update service is not allowed.
+- 0 – Update service isn't allowed.
- 1 (default) – Update service is allowed.
> [!NOTE]
@@ -257,20 +294,20 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
-
Supported values are 15, 30, 60, 120, and 240 (minutes).
+Supported values are 15, 30, 60, 120, and 240 (minutes).
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
-
The following list shows the supported values:
+The following list shows the supported values:
- 1 (default) – Auto Dismissal.
- 2 – User Dismissal.
@@ -280,9 +317,9 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
-
The following list shows the supported values:
+The following list shows the supported values:
- 16 (default) – User gets all applicable upgrades from Current Branch (CB).
- 32 – User gets upgrades from Current Branch for Business (CBB).
@@ -291,18 +328,18 @@ The following diagram shows the Update policies in a tree format.
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
-
Supported values are 0-180.
+Supported values are 0-180.
**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
-
Supported values are 0-30.
+Supported values are 0-30.
**Update/DeferUpdatePeriod**
> [!NOTE]
@@ -311,140 +348,110 @@ The following diagram shows the Update policies in a tree format.
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
Allows IT Admins to specify update delays for up to four weeks.
+Allows IT Admins to specify update delays for up to four weeks.
-
Supported values are 0-4, which refers to the number of weeks to defer updates.
+Supported values are 0-4, which refers to the number of weeks to defer updates.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect.
-
If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
-
-
-
-
-
-
-
-
-
-
Update category
-
Maximum deferral
-
Deferral increment
-
Update type/notes
-
-
-
-
-
OS upgrade
-
8 months
-
1 month
-
Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
-
-
-
Update
-
1 month
-
1 week
-
-Note
-If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
-
+- **Update category**: OS upgrade
+ - **Maximum deferral**: 8 months
+ - **Deferral increment**: 1 month
+ - **Update type/notes**: Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
+- **Update category**: Update
+ - **Maximum deferral**: 1 month
+ - **Deferral increment**: 1 week
+ - **Update type/notes**: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
+
+ - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
+ - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
+ - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
+ - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
+ - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
+ - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
+ - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
+ - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
+
+- **Update category**: Other/cannot defer
+ - **Maximum deferral**: No deferral
+ - **Deferral increment**: No deferral
+ - **Update type/notes**: Any update category not enumerated above falls into this category.
+ - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B
**Update/DeferUpgradePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
->
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
Allows IT Admins to specify additional upgrade delays for up to eight months.
+Allows IT Admins to enter more upgrade delays for up to eight months.
-
Supported values are 0-8, which refers to the number of months to defer upgrades.
+Supported values are 0-8, which refers to the number of months to defer upgrades.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
+Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling).
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 0 days (not specified).
+The default value is 0 days (not specified).
**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
-
Supported values are 1-3 days.
+Supported values are 1-3 days.
-
The default value is three days.
+The default value is three days.
**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is seven days.
+The default value is seven days.
**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Allow Windows Update drivers.
- 1 – Exclude Windows Update drivers.
**Update/IgnoreMOAppDownloadLimit**
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Do not ignore MO download limit for apps and their updates.
+- 0 (default) – Don't ignore MO download limit for apps and their updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
-
To validate this policy:
+To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
@@ -456,20 +463,20 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
**Update/IgnoreMOUpdateDownloadLimit**
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Do not ignore MO download limit for OS updates.
+- 0 (default) – Don't ignore MO download limit for OS updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
-
To validate this policy:
+To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
@@ -482,26 +489,26 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
+Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Deferrals are not paused.
+- 0 (default) – Deferrals aren't paused.
- 1 – Deferrals are paused.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect.
**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Feature Updates are not paused.
+- 0 (default) – Feature Updates aren't paused.
- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
**Update/PauseQualityUpdates**
@@ -509,11 +516,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Quality Updates are not paused.
+- 0 (default) – Quality Updates aren't paused.
- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
**Update/RequireDeferUpgrade**
@@ -523,9 +530,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
Allows the IT admin to set a device to CBB train.
+Allows the IT admin to set a device to CBB train.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – User gets upgrades from Current Branch.
- 1 – User gets upgrades from Current Branch for Business.
@@ -541,38 +548,38 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment.
**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
-
Supported values are 15, 30, or 60 (minutes).
+Supported values are 15, 30, or 60 (minutes).
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Enables the IT admin to schedule the day of the update installation.
+Enables the IT admin to schedule the day of the update installation.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Every day
- 1 – Sunday
@@ -588,35 +595,35 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Enables the IT admin to schedule the time of the update installation.
+Enables the IT admin to schedule the time of the update installation.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
+Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
-
The default value is 3.
+The default value is 3.
**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
-
Supported values are 2, 4, 8, 12, or 24 (hours).
+Supported values are 2, 4, 8, 12, or 24 (hours).
-
The default value is 4 (hours).
+The default value is 4 (hours).
**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
+Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Enabled
- 1 – Disabled
@@ -626,13 +633,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> [!Important]
-> Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise.
+> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise.
-
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
+Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
@@ -640,43 +647,73 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
Example
```xml
-
- $CmdID$
-
-
- chr
- text/plain
-
-
- ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
-
- http://abcd-srv:8530
-
-
+
+ $CmdID$
+
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
+
+ http://abcd-srv:8530
+
+
```
**Update/UpdateServiceUrlAlternate**
-> **Note** This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-
Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
-> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
-> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
+> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
+> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
-The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
+The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
-
+```console
+./Vendor/MSFT
+Update
+----ApprovedUpdates
+--------Approved Update Guid
+------------ApprovedTime
+----FailedUpdates
+--------Failed Update Guid
+------------HResult
+------------Status
+------------RevisionNumber
+----InstalledUpdates
+--------Installed Update Guid
+------------RevisionNumber
+----InstallableUpdates
+--------Installable Update Guid
+------------Type
+------------RevisionNumber
+----PendingRebootUpdates
+--------Pending Reboot Update Guid
+------------InstalledTime
+------------RevisionNumber
+----LastSuccessfulScanTime
+----DeferUpgrade
+----Rollback
+--------QualityUpdate
+--------FeatureUpdate
+--------QualityUpdateStatus
+--------FeatureUpdateStatus
+```
**Update**
The root node.
@@ -684,15 +721,17 @@ The root node.
Supported operation is Get.
**ApprovedUpdates**
-Node for update approvals and EULA acceptance on behalf of the end-user.
+Node for update approvals and EULA acceptance for the end user.
-> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
+> [!NOTE]
+> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
-The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
+The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
-The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
+The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
-> **Note** For the Windows 10 build, the client may need to reboot after additional updates are added.
+> [!NOTE]
+> For the Windows 10 build, the client may need to reboot after additional updates are added.
@@ -722,7 +761,7 @@ Specifies the approved updates that failed to install on a device.
Supported operation is Get.
**FailedUpdates/***Failed Update Guid*
-Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
+Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
Supported operation is Get.
@@ -747,7 +786,7 @@ UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
**InstallableUpdates**
-The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
+The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved.
Supported operation is Get.
@@ -798,7 +837,7 @@ Supported operation is Get.
## Windows 10, version 1607 for update management
-Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). You should use these policies for the new Windows 10, version 1607 devices.
+Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
@@ -812,73 +851,18 @@ Here are the new policies added in Windows 10, version 1607 in [Policy CSP](pol
Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate.
-
-
-
-
-
-
-
-
-
GPO key
-
Type
-
Value
-
-
-
-
-
BranchReadinessLevel
-
REG_DWORD
-
16: systems take Feature Updates on the Current Branch (CB) train
-
32: systems take Feature Updates on the Current Branch for Business
-
Other value or absent: receive all applicable updates (CB)
-
-
-
DeferQualityUpdates
-
REG_DWORD
-
1: defer quality updates
-
Other value or absent: don’t defer quality updates
-
-
-
DeferQualityUpdatesPeriodInDays
-
REG_DWORD
-
0-30: days to defer quality updates
-
-
-
PauseQualityUpdates
-
REG_DWORD
-
1: pause quality updates
-
Other value or absent: don’t pause quality updates
-
-
-
DeferFeatureUpdates
-
REG_DWORD
-
1: defer feature updates
-
Other value or absent: don’t defer feature updates
-
-
-
DeferFeatureUpdatesPeriodInDays
-
REG_DWORD
-
0-180: days to defer feature updates
-
-
-
PauseFeatureUpdates
-
REG_DWORD
-
1: pause feature updates
-
Other value or absent: don’t pause feature updates
-
-
-
ExcludeWUDriversInQualityUpdate
-
REG_DWORD
-
1: exclude WU drivers
-
Other value or absent: offer WU drivers
-
-
-
+|GPO key|Type|Value|
+|--- |--- |--- |
+|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train
32: systems take Feature Updates on the Current Branch for Business
Other value or absent: receive all applicable updates (CB)|
+|DeferQualityUpdates|REG_DWORD|1: defer quality updates
Other value or absent: don’t defer quality updates|
+|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates|
+|PauseQualityUpdates|REG_DWORD|1: pause quality updates
Other value or absent: don’t pause quality updates|
+|DeferFeatureUpdates|REG_DWORD|1: defer feature updates
Other value or absent: don’t defer feature updates|
+|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
+|PauseFeatureUpdates|REG_DWORD|1: pause feature updates
Other value or absent: don’t pause feature updates|
+|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude WU drivers
Other value or absent: offer WU drivers|
-
-
-Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices.
+Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
@@ -945,5 +929,16 @@ Set auto update to notify and defer.
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
-
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
deleted file mode 100644
index 0db22bf159..0000000000
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: DeviceInstanceService CSP
-description: Learn how the DeviceInstanceService configuration service provider (CSP) provides some device inventory information that could be useful for an enterprise.
-ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 06/26/2017
----
-
-# DeviceInstanceService CSP
-
-
-The DeviceInstanceService configuration service provider provides some device inventory information that could be useful for an enterprise. Additionally, this CSP supports querying two different phone numbers in the case of dual SIM. The URIs for SIM 1 and SIM 2 are ./Vendor/MSFT/DeviceInstanceService/Identity/Identity1 and ./Vendor/MSFT/DeviceInstanceService/Identity/Identity2 respectively.
-
-> **Note**
-Stop using DeviceInstanceService CSP and use the updated [DeviceStatus CSP](devicestatus-csp.md) instead.
-
-The DeviceInstance CSP is only supported in Windows 10 Mobile.
-
-
-
-The following diagram shows the DeviceInstanceService configuration service provider in tree format.
-
-
-
-**Roaming**
-A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
-
-Supported operation is **Get**.
-
-Returns **True** if the device is roaming; otherwise **False**.
-
-**PhoneNumber**
-A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
-
-Value type is chr.
-
-Supported operation is **Get**.
-
-**IMEI**
-A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
-
-Value type is chr.
-
-Supported operation is **Get**.
-
-**IMSI**
-A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
-
-Value type is chr.
-
-Supported operation is **Get**.
-
-**Identity**
-The parent node to group per SIM specific information in case of dual SIM mode.
-
-**Identity1**
-The parent node to group SIM1 specific information in case of dual SIM mode.
-
-**Identity2**
-The parent node to group SIM2 specific information in case of dual SIM mode.
-
-## Examples
-
-
-The following sample shows how to query roaming status and phone number on the device.
-
-```xml
-
- 2
-
-
- ./Vendor/MSFT/DeviceInstanceService/Roaming
-
-
-
-
- ./Vendor/MSFT/DeviceInstanceService/PhoneNumber
-
-
-
-```
-
-Response from the phone.
-
-```xml
-
- 3
- 1
- 2
-
- ./Vendor/MSFT/DeviceInstanceService/Roaming
- bool
- false
-
-
- ./Vendor/MSFT/DeviceInstanceService/PhoneNumber
- +14254458055
-
-
-```
-
-## Related topics
-
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index 9933e58a23..ac6286d7d6 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
-> **Note** The DeviceLock CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
+> [!Note]
+> For Windows 10 devices, use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
@@ -30,26 +31,51 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
-The following image shows the DeviceLock configuration service provider in tree format.
+The following information shows the DeviceLock configuration service provider in tree format.
-
+```console
+./Vendor/MSFT
+DeviceLock
+--------Provider
+----------ProviderID
+-------------DevicePasswordEnabled
+-------------AllowSimpleDevicePassword
+-------------MinDevicePasswordLength
+-------------AlphanumericDevicePasswordRequired
+-------------MaxDevicePasswordFailedAttempts
+-------------DevicePasswordExpiration
+-------------DevicePasswordHistory
+-------------MaxInactivityTimeDeviceLock
+-------------MinDevicePasswordComplexCharacters
+----------DeviceValue
+-------------DevicePasswordEnabled
+-------------AllowSimpleDevicePassword
+-------------MinDevicePasswordLength
+-------------AlphanumericDevicePasswordRequired
+-------------MaxDevicePasswordFailedAttempts
+-------------DevicePasswordExpiration
+-------------DevicePasswordHistory
+-------------MaxInactivityTimeDeviceLock
+-------------MinDevicePasswordComplexCharacters
+```
**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
***ProviderID***
-Optional. The node that contains the configured management server's ProviderID. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one *ProviderID* node. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
+Optional. The node that contains the configured management server's ProviderID. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
- **Add** - Add the management account to the configuration service provider tree.
- **Delete** - Delete all policies set by this account. This command could be used in enterprise unenrollment for removing policy values set by the enterprise management server.
- **Get** - Return all policies set by the management server.
-> **Note** The value cannot be changed after it is added. The **Replace** command isn't supported.
+> [!NOTE]
+> The value cannot be changed after it's added. The **Replace** command isn't supported.
***ProviderID*/DevicePasswordEnabled**
-Optional. An integer value that specifies whether device lock is enabled. Possible values are one of the following:
+Optional. An integer value that specifies whether device lock is enabled. Possible values include:
- 0 - Device lock is enabled.
- 1 (default) - Device lock not enabled.
@@ -59,7 +85,7 @@ The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/AllowSimpleDevicePassword**
-Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values for this node are one of the following:
+Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values include:
- 0 - Not allowed.
- 1 (default) - Allowed.
@@ -76,7 +102,7 @@ Supported operations are Get, Add, and Replace.
***ProviderID*/AlphanumericDevicePasswordRequired**
Optional. An integer value that specifies the complexity of the password or PIN allowed.
-Valid values are one of the following:
+Possible values include:
- 0 - Alphanumeric password required
- 1 - Users can choose a numeric or alphanumeric password
@@ -93,28 +119,28 @@ Deprecated in Windows 10.
Deprecated in Windows 10.
***ProviderID*/MaxDevicePasswordFailedAttempts**
-Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device will not be wiped regardless of the number of authentication failures.
+Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device won't be wiped, whatever the number of authentication failures.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/MaxInactivityTimeDeviceLock**
-Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it is password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
+Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it's password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
***ProviderID*/MinDevicePasswordComplexCharacters**
-Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 4 for mobile and 1 to 3 for desktop. The default value is 1.
+Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 3 for Windows client. The default value is 1.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
**DeviceValue**
-Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are actually applied to the device. The scope is permanent.
+Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are applied to the device. The scope is permanent.
Supported operation is Get.
@@ -264,31 +290,21 @@ All node values under the **ProviderID** interior node represent the policy valu
- An **Add** or **Replace** command on those nodes returns success in the following cases:
- - The value is actually applied to the device.
+ - The value is applied to the device.
- The value isn't applied to the device because the device has a more secure value set already.
- From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
+ From a security perspective, the device complies with the policy request that's at least as secure as the one requested.
- A **Get** command on those nodes returns the value the server pushes down to the device.
- If a **Replace** command fails, the node value is set back to the value that was to be replaced.
-- If an **Add** command fails, the node is not created.
+- If an **Add** command fails, the node isn't created.
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index f861b2d2e4..49ae03d4b5 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -246,10 +246,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp
Valid values:
-- 0 - The status of the security provider category is good and does not need user attention.
-- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC).
-- 2 - The status of the security provider category is poor and the computer may be at risk.
-- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
+- 0 - The status of the security provider category is good and does not need user attention.
+- 1 - The status of the security provider category is not monitored by Windows Security.
+- 2 - The status of the security provider category is poor and the computer may be at risk.
+- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service is not actively protecting the computer.
Supported operation is Get.
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index b8ddb3ffeb..592daf59ec 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -15,14 +15,15 @@ ms.date: 11/01/2017
# DMClient CSP
-The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
+The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
-The following shows the DMClient CSP in tree format.
-```
+The following information shows the DMClient CSP in tree format.
+
+```console
./Vendor/MSFT
DMClient
----Provider
---------
+--------ProviderID
------------EntDeviceName
------------ExchangeID
------------EntDMID
@@ -45,6 +46,10 @@ DMClient
------------HWDevID
------------ManagementServerAddressList
------------CommercialID
+------------ConfigLock
+----------------Lock
+----------------UnlockDuration
+----------------SecureCore
------------Push
----------------PFN
----------------ChannelURI
@@ -68,7 +73,7 @@ All the nodes in this CSP are supported in the device context, except for the **
Root node for the CSP.
**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node.
**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@@ -81,28 +86,31 @@ Required. The root node for all settings that belong to a single management serv
Supported operation is Get.
**Provider/***ProviderID*
-Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping.
+Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesn’t require XML/URI escaping.
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDeviceName**
-Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDMID**
-Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
> [!NOTE]
-> Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
+> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
**Provider/*ProviderID*/ExchangeID**
-Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
+Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
+
+- A device that's managed by Exchange.
+- A device that's natively managed by a dedicated management server.
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
@@ -111,7 +119,7 @@ Optional. Character string that contains the unique Exchange device ID used by t
Supported operation is Get.
-The following is a Get command example.
+The following XML is a Get command example:
```xml
@@ -124,13 +132,8 @@ The following is a Get command example.
```
-**Provider/*ProviderID*/PublisherDeviceID**
-(Only for Windows 10 Mobile.) Optional. The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/<enterprise id>/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises’ applications, each enterprise is identified differently.
-
-Supported operation is Get.
-
**Provider/*ProviderID*/SignedEntDMID**
-Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
+Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
@@ -140,57 +143,61 @@ Optional. The time in OMA DM standard time format. This node is designed to redu
Supported operation is Get.
**Provider/*ProviderID*/ManagementServiceAddress**
-Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server.
+Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server.
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
-The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
+The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
-Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices.
+Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there's only a single URL, then the <> aren't required. This feature is supported on Windows client devices.
During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/UPN**
-Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
+Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
**Provider/*ProviderID*/HelpPhoneNumber**
-Optional. The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/HelpWebsite**
-Optional. The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete
**Provider/*ProviderID*/HelpEmailAddress**
-Optional. The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support.
+Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/RequireMessageSigning**
-Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature.
+Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature.
-Default value is false, where the device management client does not include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
+Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
-When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server.
+When enabled, the MDM provider should:
+
+- Validate the signature and the timestamp using the device identify certificate enrolled as part of Mobile Device Enrollment protocol (MS-MDE).
+- Ensure the certificate and time are valid.
+- Verify that the signature is trusted by the MDM provider.
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/SyncApplicationVersion**
-Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
+Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0.
> [!NOTE]
> This node is only supported in Windows 10 and later.
-Once you set the value to 2.0, it will not go back to 1.0.
+Once you set the value to 2.0, it won't go back to 1.0.
@@ -204,18 +211,18 @@ When you query this node, a Windows 10 client will return 2.0 and a Windows 8.
Supported operation is Get.
**Provider/*ProviderID*/AADResourceID**
-Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
-When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
+When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending.
-To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information.
+To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. Send a SyncML message with a specific device alert element in the body until the client can respond back to the server with the requested information.
-Here is an example of DM message sent by the device when it is in pending state:
+Here's an example of DM message sent by the device when it's in pending state:
```xml
@@ -262,12 +269,12 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
+Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
**Provider/*ProviderID*/ManagementServerAddressList**
-Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there is only one, the angle brackets (<>) are not required.
+Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there's only one, the angle brackets (<>) aren't required.
> [!NOTE]
> The < and > should be escaped.
@@ -290,12 +297,12 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value.
-When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.
+When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
Supported operations are Get and Replace. Value type is string.
**Provider/*ProviderID*/ManagementServerToUpgradeTo**
-Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM server to upgrade to for a Mobile Application Management (MAM) enrolled device.
+Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -306,310 +313,167 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
-Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
+Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
**Provider/*ProviderID*/Poll**
-Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
+Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Supported operations are Get and Add.
-There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration.
+There are three schedules managed under the Poll node. They enable a rich polling schedule experience to provide greater flexibility in managing the way devices poll the management server. There are various ways that polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules to restore the polling schedules back to a valid configuration.
-If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
+If there's no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window.
**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).**
-
-
-
-
-
-
-
-
-
Schedule name
-
Schedule set by the server
-
Actual value queried on device
-
-
-
-
-
IntervalForFirstSetOfRetries
-
15
-
15
-
-
-
NumberOfFirstRetries
-
5
-
5
-
-
-
IntervalForSecondSetOfRetries
-
60
-
60
-
-
-
NumberOfSecondRetries
-
10
-
10
-
-
-
IntervalForRemainingScheduledRetries
-
1440
-
1440
-
-
-
NumberOfRemainingScheduledRetries
-
0
-
0
-
-
-
+|Schedule name|Schedule set by the server|Actual value queried on device|
+|--- |--- |--- |
+|IntervalForFirstSetOfRetries|15|15|
+|NumberOfFirstRetries|5|5|
+|IntervalForSecondSetOfRetries|60|60|
+|NumberOfSecondRetries|10|10|
+|IntervalForRemainingScheduledRetries|1440|1440|
+|NumberOfRemainingScheduledRetries|0|0|
-
+**Valid poll schedule: initial enrollment only [no infinite schedule]**
-**Valid poll schedule: initial enrollment only \[no infinite schedule\]**
-
-
-
-
-
-
-
-
-
-
Schedule name
-
Schedule set by the server
-
Actual value queried on device
-
-
-
-
-
IntervalForFirstSetOfRetries
-
15
-
15
-
-
-
NumberOfFirstRetries
-
5
-
5
-
-
-
IntervalForSecondSetOfRetries
-
60
-
60
-
-
-
NumberOfSecondRetries
-
10
-
10
-
-
-
IntervalForRemainingScheduledRetries
-
0
-
0
-
-
-
NumberOfRemainingScheduledRetries
-
0
-
0
-
-
-
-
-
+|Schedule name|Schedule set by the server|Actual value queried on device|
+|--- |--- |--- |
+|IntervalForFirstSetOfRetries|15|15|
+|NumberOfFirstRetries|5|5|
+|IntervalForSecondSetOfRetries|60|60|
+|NumberOfSecondRetries|10|10|
+|IntervalForRemainingScheduledRetries|0|0|
+|NumberOfRemainingScheduledRetries|0|0|
**Invalid poll schedule: disable all poll schedules**
> [!NOTE]
> Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero.
+|Schedule name|Schedule set by the server|Actual value queried on device|
+|--- |--- |--- |
+|IntervalForFirstSetOfRetries|0|0|
+|NumberOfFirstRetries|0|0|
+|IntervalForSecondSetOfRetries|0|0|
+|NumberOfSecondRetries|0|0|
+|IntervalForRemainingScheduledRetries|0|0|
+|NumberOfRemainingScheduledRetries|0|0|
-
-
-
-
-
-
-
-
-
-
Schedule name
-
Schedule set by the server
-
Actual value queried on device
-
-
-
-
-
IntervalForFirstSetOfRetries
-
0
-
0
-
-
-
NumberOfFirstRetries
-
0
-
0
-
-
-
IntervalForSecondSetOfRetries
-
0
-
0
-
-
-
NumberOfSecondRetries
-
0
-
0
-
-
-
IntervalForRemainingScheduledRetries
-
0
-
0
-
-
-
NumberOfRemainingScheduledRetries
-
0
-
0
-
-
-
-
-
-
**Invalid poll schedule: two infinite schedules**
-
-
-
-
-
-
-
-
-
-
Schedule name
-
Schedule set by server
-
Actual schedule set on device
-
Actual experience
-
-
-
-
-
IntervalForFirstSetOfRetries
-
15
-
15
-
Device polls
-
-
-
NumberOfFirstRetries
-
5
-
5
-
Device polls
-
-
-
IntervalForSecondSetOfRetries
-
1440
-
1440
-
Device polls the server once in 24 hours
-
-
-
NumberOfSecondRetries
-
0
-
0
-
Device polls the server once in 24 hours
-
-
-
IntervalForRemainingScheduledRetries
-
1440
-
0
-
Third schedule is disabled
-
-
-
NumberOfRemainingScheduledRetries
-
0
-
0
-
Third schedule is disabled
-
-
-
+|Schedule name|Schedule set by server|Actual schedule set on device|Actual experience|
+|--- |--- |--- |--- |
+|IntervalForFirstSetOfRetries|15|15|Device polls|
+|NumberOfFirstRetries|5|5|Device polls|
+|IntervalForSecondSetOfRetries|1440|1440|Device polls the server once in 24 hours|
+|NumberOfSecondRetries|0|0|Device polls the server once in 24 hours|
+|IntervalForRemainingScheduledRetries|1440|0|Third schedule is disabled|
+|NumberOfRemainingScheduledRetries|0|0|Third schedule is disabled|
-
+If the device was previously enrolled in MDM with polling schedule configured using the registry key values directly, the MDM provider that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters using the DMClient CSP
-If the device was previously enrolled in MDM with polling schedule configured via registry key values directly, the MDM server that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters via DMClient CSP
-
-When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all 3 number of retry nodes to 0 because it will cause a configuration failure.
+When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure.
**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
-Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
+Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously utilized the Registry CSP.
+The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
-Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10.
+Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10.
Supported operations are Get and Replace.
-The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously utilized the Registry CSP.
+The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously used the Registry CSP.
-The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule.
+The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
-Optional. The waiting time (in minutes) for the second set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.
+Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `//Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously utilized the Registry CSP.
+The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
-Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
+Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Supported operations are Get and Replace.
-The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously utilized the Registry CSP.
+The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously used the Registry CSP.
The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
-Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
+Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Supported operations are Get and Replace.
-The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously utilized the Registry CSP.
+The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP.
**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
-Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
+Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Supported operations are Get and Replace.
-The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously utilized the Registry CSP.
+The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP.
-The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push.
+The RemainingScheduledRetries is used for the long run device polling schedule.
**Provider/*ProviderID*/Poll/PollOnLogin**
-Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
-Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
+Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
+**Provider/*ProviderID*/ConfigLock**
+
+Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
+
+Default = Locked
+
+> [!Note]
+>If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
+
+**Provider/*ProviderID*/ConfigLock/Lock**
+
+The supported values for this node are 0-unlock, 1-lock.
+
+Supported operations are Add, Delete, Get.
+
+**Provider/*ProviderID*/ConfigLock/UnlockDuration**
+
+The supported values for this node are 1 to 480 (in min).
+
+Supported operations are Add, Delete, Get.
+
+**Provider/*ProviderID*/ConfigLock/SecureCore**
+
+The supported values for this node are false or true.
+
+Supported operation is Get only.
+
**Provider/*ProviderID*/Push**
Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
Supported operations are Add and Delete.
**Provider/*ProviderID*/Push/PFN**
-Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
+Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing.
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/Push/ChannelURI**
-Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
+Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Supported operation is Get.
@@ -620,58 +484,17 @@ Supported operation is Get.
The status error mapping is listed below.
-
-
-
-
-
-
-
-
Status
-
Description
-
-
-
-
-
0
-
Success
-
-
-
1
-
Failure: invalid PFN
-
-
-
2
-
Failure: invalid or expired device authentication with MSA
-
-
-
3
-
Failure: WNS client registration failed due to an invalid or revoked PFN
-
-
-
4
-
Failure: no Channel URI assigned
-
-
-
5
-
Failure: Channel URI has expired
-
-
-
6
-
Failure: Channel URI failed to be revoked
-
-
-
7
-
Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.
-
-
-
8
-
Unknown error
-
-
-
-
-
+|Status|Description|
+|--- |--- |
+|0|Success|
+|1|Failure: invalid PFN|
+|2|Failure: invalid or expired device authentication with MSA|
+|3|Failure: WNS client registration failed due to an invalid or revoked PFN|
+|4|Failure: no Channel URI assigned|
+|5|Failure: Channel URI has expired|
+|6|Failure: Channel URI failed to be revoked|
+|7|Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.|
+|8|Unknown error|
**Provider/*ProviderID*/CustomEnrollmentCompletePage**
Optional. Added in Windows 10, version 1703.
@@ -689,12 +512,12 @@ Optional. Added in Windows 10, version 1703. Specifies the body text of the all
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
-Optional. Added in Windows 10, version 1703. Specifies the URL that is shown at the end of the MDM enrollment flow.
+Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
-Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that is shown at the end of the MDM enrollment flow.
+Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -702,39 +525,39 @@ Supported operations are Add, Delete, Get, and Replace. Value type is string.
Optional node. Added in Windows 10, version 1709.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to provision, delimited by the character L"\xF000".
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example,
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
``` syntax
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
-This represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
+This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -744,42 +567,42 @@ Required. Added in Windows 10, version 1709. This node determines how long we wi
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
-Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
-Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
-Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
-Required. Device Only. Added in Windows 10, version 1803. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
+Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
-Required. Added in Windows 10, version 1803. This node decides whether or not the MDM progress page displays the Collect Logs button.
+Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
-Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
+Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
-Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
+Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
-Required. Device only. Added in Windows 10, version 1803. This node decides whether or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
+Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
@@ -789,12 +612,12 @@ Required node. Added in Windows 10, version 1709.
Supported operation is Get.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
-Required. Added in Windows 10, version 1709. This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
-Required. Added in Windows 10, version 1709. This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set.
+Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
@@ -809,13 +632,13 @@ Required. Added in Windows 10, version 1709. The node contains the secondary cer
Supported operations are Add, Get, Replace, and Delete. Value type is string.
**Provider/*ProviderID*/Unenroll**
-Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent.
+Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent.
Supported operations are Get and Exec.
-Note that <LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility.
+<LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility.
-The following SyncML shows how to remotely unenroll the device. Note that this command should be inserted in the general DM packages sent from the server to the device.
+The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device.
```xml
@@ -833,17 +656,7 @@ The following SyncML shows how to remotely unenroll the device. Note that this c
```
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
index 8290fa7eea..1dbe4932a9 100644
--- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
+++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
@@ -25,26 +25,27 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> [!Important]
-> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses.
+> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
- Adding dynamic credentials for OMA Client Provisioning.
-- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they are sold.
+- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they're sold.
-Microsoft recommends that this function is not used to configure the following types of settings.
+Microsoft recommends that this function isn't used to configure the following types of settings:
-- Security settings that are configured by using CertificateStore, SecurityPolicy, and RemoteWipe, unless they are related to OMA DM or OMA Client Provisioning security policies.
+- Security settings that are configured using CertificateStore, SecurityPolicy, and RemoteWipe, unless they're related to OMA DM or OMA Client Provisioning security policies
- Non-cellular data connection settings (such as Hotspot settings).
-- File system files and registry settings, unless they are used for OMA DM account management, mobile operator data connection settings, or manufacturing tests.
+- File system files and registry settings, unless they're used for OMA DM account management, mobile operator data connection settings, or manufacturing tests
-- Email settings.
+- Email settings
-> **Note** The **DMProcessConfigXMLFiltered** function has full functionality in Windows 10 Mobile and Windows Phone 8.1, but it has a read-only functionality in Windows 10 desktop.
+> [!Note]
+> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@@ -63,13 +64,13 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
*pszXmlIn*
-
[in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).
+
[in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
*rgszAllowedCspNode*
-
[in] Array of WCHAR\* that specify which configuration service provider nodes are allowed to be invoked.
+
[in] Array of WCHAR\* that specify which configuration service provider nodes can be invoked.
@@ -85,54 +86,25 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
-If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document does not contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
+If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.
## Return value
-Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows the additional error codes that may be returned.
+Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows more error codes that can be returned:
-
-
-
-
-
-
-
-
Return code
-
Description
-
-
-
-
-
CONFIG_E_OBJECTBUSY
-
Another instance of the configuration management service is currently running.
-
-
-
CONFIG_E_ENTRYNOTFOUND
-
No metabase entry was found.
-
-
-
CONFIG_E_CSPEXCEPTION
-
An exception occurred in one of the configuration service providers.
-
-
-
CONFIG_E_TRANSACTIONINGFAILURE
-
A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.
-
-
-
CONFIG_E_BAD_XML
-
The XML input is invalid or malformed.
-
-
-
-
-
+|Return code|Description|
+|--- |--- |
+|**CONFIG_E_OBJECTBUSY**|Another instance of the configuration management service is currently running.|
+|**CONFIG_E_ENTRYNOTFOUND**|No metabase entry was found.|
+|**CONFIG_E_CSPEXCEPTION**|An exception occurred in one of the configuration service providers.|
+|**CONFIG_E_TRANSACTIONINGFAILURE**|A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.|
+|**CONFIG_E_BAD_XML**|The XML input is invalid or malformed.|
## Remarks
-The processing of the XML is transactional; either the entire document gets processed successfully or none of the settings are processed. Therefore, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
+The processing of the XML is transactional. Either the entire document gets processed successfully, or none of the settings are processed. So, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time.
-The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input .provxml contains the following two settings:
+The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input `.provxml` contains the following two settings:
``` XML
@@ -163,9 +135,9 @@ LPCWSTR rgszAllowedCspNodes[] =
};
```
-This array of configuration service provider names indicates which .provxml contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* does not contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
+This array of configuration service provider names indicates which `.provxml` contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* doesn't contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code.
-The following code sample shows how this array would be passed in. Note that *szProvxmlContent* does not show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
+The following code sample shows how this array would be passed in. The *szProvxmlContent* doesn't show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above.
``` C++
WCHAR szProvxmlContent[] = L"...";
@@ -189,38 +161,14 @@ if ( bstr != NULL )
## Requirements
-
-
-
-
-
-
-
-
Minimum supported client
-
None supported
-
-
-
Minimum supported server
-
None supported
-
-
-
Minimum supported phone
-
Windows Phone 8.1
-
-
-
Header
-
Dmprocessxmlfiltered.h
-
-
-
Library
-
Dmprocessxmlfiltered.lib
-
-
-
DLL
-
Dmprocessxmlfiltered.dll
-
-
-
+|Requirement|Support|
+|--- |--- |
+|Minimum supported client|None supported|
+|Minimum supported server|None supported|
+|Minimum supported phone|Windows Phone 8.1|
+|Header|Dmprocessxmlfiltered.h|
+|Library|Dmprocessxmlfiltered.lib|
+|DLL|Dmprocessxmlfiltered.dll|
## See also
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index f3e4080512..de7b12c65f 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -17,13 +17,14 @@ ms.date: 06/26/2017
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
-On the desktop, only per user configuration is supported.
+> [!Note]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application.
-
+On Windows client, only per user configuration is supported.
-The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
-```
+The following information shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
+
+```console
./Vendor/MSFT
EMAIL2
----Account GUID
@@ -60,9 +61,10 @@ EMAIL2
------------8128000B
------------812C000B
```
-In Windows 10 Mobile, after the user’s out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operator’s proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
-Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords.
+After provisioning, the **Start** screen has a tile for the proprietary mail provider and there's also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
+
+Configuration data isn't encrypted when sent over the air (OTA). This is a potential security risk when sending sensitive configuration data, such as passwords.
> [!IMPORTANT]
> All Add and Replace commands need to be wrapped in an Atomic section.
@@ -73,7 +75,7 @@ The configuration service provider root node.
Supported operation is Get.
***GUID***
-Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one does not create the new account and Add command will fail in this case.
+Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case.
Supported operations are Get, Add, and Delete.
@@ -86,14 +88,14 @@ The braces {} around the GUID are required in the EMAIL2 configuration service p
**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
+The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added.
**ACCOUNTTYPE**
Required. Specifies the type of account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
Valid values are:
@@ -104,60 +106,61 @@ Valid values are:
**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**AUTHREQUIRED**
Optional. Character string that specifies whether the outgoing server requires authentication.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are one of the following:
+Value options:
-- 0 - Server authentication is not required.
+- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
-> **Note** If this value is not specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
+> [!NOTE]
+> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**DOMAIN**
Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**DWNDAY**
Optional. Character string that specifies how many days' worth of email should be downloaded from the server.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are one of the following:
+Value options:
- -1: Specifies that all email currently on the server should be downloaded.
-- 7: Specifies that 7 days’ worth of email should be downloaded.
+- 7: Specifies that seven days’ worth of email should be downloaded.
- 14: Specifies that 14 days’ worth of email should be downloaded.
- 30: Specifies that 30 days’ worth of email should be downloaded.
**INSERVER**
-Required. Character string that specifies the name of the incoming server name and port number. This is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
+Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
-Supported operations are Get, Add and Replace.
+Supported operations are Get, Add, and Replace.
**LINGER**
Optional. Character string that specifies the length of time between email send/receive updates in minutes.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Valid values are:
+Value options:
- 0 - Email updates must be performed manually.
@@ -174,16 +177,16 @@ Optional. Specifies the maximum size for a message attachment. Attachments beyon
The limit is specified in KB
-Valid values are 0, 25, 50, 125, and 250.
+Value options are 0, 25, 50, 125, and 250.
A value of 0 meaning that no limit will be enforced.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**NAME**
Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
@@ -195,14 +198,15 @@ Supported operations are Get, Add, Delete, and Replace.
**REPLYADDR**
Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
-Supported operations are Get, Add, Delete and Replace.
+Supported operations are Get, Add, Delete, and Replace.
**SERVICENAME**
Required. Character string that specifies the name of the email service to create or edit (32 characters maximum).
Supported operations are Get, Add, Replace, and Delete.
-> **Note** The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+> [!NOTE]
+> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
@@ -211,19 +215,19 @@ Required. Character string that specifies the type of email service to create or
Supported operations are Get, Add, Replace, and Delete.
-> **Note** The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
+> **Note** The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
-Valid values are 512, 1024, 2048, 5120, 20480, and 51200.
+Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
**SERVERDELETEACTION**
-Optional. Character string that specifies how message is deleted on server. Valid values:
+Optional. Character string that specifies how message is deleted on server. Value options:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
@@ -238,7 +242,7 @@ Optional. If this flag is set, the account only uses the cellular network and no
Value type is string. Supported operations are Get, Add, Replace, and Delete.
**SYNCINGCONTENTTYPES**
-Required. Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar).
+Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
- Contacts (0x1)
@@ -257,12 +261,12 @@ Required. Specifies a bitmask for which content types are supported for syncing
Supported operations are Get, Add, Replace, and Delete.
**CONTACTSSERVER**
-Optional. Server for contact sync if it is different from the email server.
+Optional. Server for contact sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
**CALENDARSERVER**
-Optional. Server for calendar sync if it is different from the email server.
+Optional. Server for calendar sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
@@ -289,38 +293,38 @@ Supported operations are Get, Add, Replace, and Delete.
**SMTPALTAUTHNAME**
Optional. Character string that specifies the display name associated with the user's alternative SMTP email account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**SMTPALTDOMAIN**
Optional. Character string that specifies the domain name for the user's alternative SMTP account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**SMTPALTENABLED**
Optional. Character string that specifies if the user's alternate SMTP account is enabled.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-A value of "FALSE" specifies that the user's alternate SMTP email account is disabled. A value of "TRUE" specifies that the user's alternate SMTP email account is enabled.
+A value of "FALSE" means the user's alternate SMTP email account is disabled. A value of "TRUE" means that the user's alternate SMTP email account is enabled.
**SMTPALTPASSWORD**
Optional. Character string that specifies the password for the user's alternate SMTP account.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**TAGPROPS**
Optional. Defines a group of properties with non-standard element names.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
**TAGPROPS/8128000B**
Optional. Character string that specifies if the incoming email server requires SSL.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
-Value is one of the following:
+Value options:
-- 0 - SSL is not required.
+- 0 - SSL isn't required.
- 1 - SSL is required.
**TAGPROPS/812C000B**
@@ -328,49 +332,39 @@ Optional. Character string that specifies if the outgoing email server requires
Supported operations are Get and Replace.
-Value is one of the following:
+Value options:
-- 0 - SSL is not required.
+- 0 - SSL isn't required.
- 1 - SSL is required.
## Remarks
-When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
+When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
-For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the \\ block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
+For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \\ block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
-- If some but not all of the outgoing server credentials parameters are present then the EMAIL2 Configuration Service Provider will be considered in error.
+- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
-- Account details cannot be queried unless the account GUID is known. Currently, there is no way to perform a top-level query for account GUIDs.
+- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
-Windows 10 Mobile supports Transport Layer Security (TLS), but this cannot be explicitly enabled through this configuration service provider, and the user cannot enable TLS through the UI. If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
+If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
-3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device does not attempt another connection.
+3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
-4. If the user did not select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
+4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
-6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, the device enables TLS. TLS is not enabled on connections using SSL or non-SSL.
+6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
-## Related topics
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
deleted file mode 100644
index bab52cb7fd..0000000000
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ /dev/null
@@ -1,534 +0,0 @@
----
-title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-description: Overview of how to enable offline updates using Microsoft Endpoint Configuration Manager.
-ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 06/26/2017
----
-
-# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-
-
-Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. There are also situations where network restrictions or other enterprise policies require that devices download updates from an internal location. This article describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
-
-The following table describes the update path to Windows 10 Mobile.
-
-
-
-
-
-
-
-
-
Starting SKU
-
Upgrade to Windows 10 Mobile
-
-
-
-
-
Windows Mobile 6.5
-
No
-
-
-
Windows Phone 8
-
No
-
-
-
Windows Phone 8.1
-
Yes
-
-
-
-
-
-To configure the mobile device management (MDM) service provider and enable mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps:
-
-1. Prepare a test device that can connect to the Internet to download the released update packages.
-2. After the updates are downloaded and before pressing the install button, retrieve an XML file on the device that contains all the metadata about each update package.
-3. Check the status code in the XML file.
-4. Check for registry dependencies.
-5. Using a script that we provide, parse the XML file to extract download URLs for the update packages.
-6. Download the update packages using the download URLs.
-7. Place the downloaded packages on an internal share that is accessible to devices you are updating.
-8. Create two additional XML files that define the specific updates to download and the specific locations from which to download the updates, and deploy them onto the production device.
-9. Start the update process from the devices.
-
-As a part of the update process, Windows runs data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings are automatically migrated to Windows 10 as part of the update process. If the handheld device was configured for assigned access lockdown, then this configuration is also migrated to Windows 10 as part of the update process. This includes ProductId and AumId conversion for all internal apps (including buttonremapping apps).
-
-Be aware that the migrators do not take care of the following:
-
-- Third-party apps provided by OEMs.
-- Deprecated first-party apps, such as Bing News.
-- Deprecated system or application settings, such as Microsoft.Game and Microsoft.IE.
-
-In the event of an Enterprise Reset, these migrated settings are automatically persisted.
-
-After the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
-
-1. Delete the TPK\*ppkg and push down a new ppkg with your new configuration to the persistent folder.
-2. Push down a new ppkg with your new configuration with higher priority. (Be aware that in ICD, Owner=Microsoft, Rank=0 is the lowest priority, and vice versa. With this step, the old assigned access lockdown configuration is overwritten.)
-
-**Requirements:**
-
-- The test device must be same as the other production devices that are receiving the updates.
-- The test device must be enrolled with Microsoft Endpoint Configuration Manager.
-- The test device must be connected to the Internet.
-- The test device must have an SD card with at least 0.5 GB of free space.
-- Ensure that the settings app and PhoneUpdate applet are available through Assigned Access.
-
-The following diagram shows a high-level overview of the process.
-
-
-
-## Step 1: Prepare a test device to download updates from Microsoft Update
-
-
-Define the baseline update set that you want to apply to other devices. Use a device that is running the most recent image as the test device.
-
-Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager.
-
-**Check for updates manually**
-
-1. On the device, go to **Settings** > **Phone updates** > **Check for updates**.
-2. Sync the device, go to **Settings** > **Workplace** > **Enrolled**, and then select the refresh icon. Repeat as needed.
-3. Follow the prompts to download the updates, but do not select the **Install** button.
-
-> [!NOTE]
-> There is a bug in all OS versions up to GDR2 where the Cloud Solution Provider (CSP) does not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
-
-
-**Check for updates by using Microsoft Endpoint Configuration Manager**
-
-1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
-
- 
-
-2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
-
- 
-
-3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
-
- 
-
-4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
-5. Follow the prompts for downloading the updates, but do not install the updates on the device.
-
-
-## Step 2: Retrieve the device update report XML from the device
-
-After updates are downloaded (but not installed on the device), the process generates an XML file that contains information about the packages it downloaded. You must retrieve this XML file.
-
-There are two ways to retrieve this file from the device; one pre-GDR1 and one post-GDR1.
-
-**Pre-GDR1: Parse a compliance log from the device in ConfigMgr**
-
-1. Use ConfigMgr to create a configuration item to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
-
- > [!NOTE]
- > In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml, but the process still completes even if the file is large.
-
- If the XML file is greater than 32 KB, you can also use ./Vendor/MSFT/FileSystem/<*filename*>.
-2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
-
- The dummy value is not set; it is only used for comparison.
-3. After the report XML is sent to the device, Microsoft Endpoint Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
-4. Parse this log for the report XML content.
-
-For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-manager-logs).
-
-
-**Post-GDR1: Retrieve the report xml file using an SD card**
-
-1. Use ConfigMgr to create a configuration item to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
-2. The value that you define for this configuration item is defined by the relative path to the SD card, which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
-3. Remove the SD card from device and copy the XML file to your PC.
-
-## Step 3: Check the status code in the XML file
-Make sure that the status code is set to 0000-0000 (success).
-
-## Step 4: Check for registry dependencies
-Remove any registry dependencies in the XML file.
-
-## Step 5: Extract download URLs from the report XML
-
-Use the [example PowerShell script](#example-powershell-script) to extract the download URLs from the XML file or parse it manually.
-
-## Step 6: Retrieve update packages using download URLs
-
-Use a script or manually download each update package to a PC or an internal share.
-
-## Step 7: Place the update packages on an accessible share
-
-Put all the update packages into an internal share that is accessible to all the devices that need these updates. Ensure that the internal share can support multiple devices trying to access the updates at the same time.
-
-## Step 8: Create two XML files for production devices to select updates and download locations
-
-Here are the two files.
-
-
-
-
-
-
-
-
-
Term
-
Description
-
-
-
-
-
DUControlledUpdates.xml
-
This is the same file as the report XML retrieved in Step 2 with a different name. This file tells the device the specific update packages to download. See Appendix for example
-
-
-
-
DUCustomContentUris.xml
-
This file maps the update packages in DUControlledUpdates.xml to the internal share location.
-
-
-
-
-
-
-For a walkthrough of these steps, see [Deploy controlled updates](#deploy-controlled-updates). Ensure that the Trigger Scan configuration baseline has NOT been deployed.
-
-
-
-### Deploy controlled updates
-
-The deployment process has three parts:
-
-- Create a configuration item for DUControlledUpdates.xml.
-- Create a configuration item for DUCustomContentURIs.xml.
-- Create a configuration item for approved updates.
-
-
-
-**Create a configuration item for DUControlledUpdates.xml**
-
-1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
-
- 
-
-2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
-
- 
-
-3. Select **Remediate noncompliant settings**, and then select **OK**.
-
-
-
-**Create a configuration item for DUCustomContentURIs.xml**
-
-1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
-2. Select **Remediate noncompliant settings**.
-
- 
-
-3. Select **OK**.
-
-
-
-**Create a configuration baseline for approved updates**
-
-1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
-2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
-
- 
-
-3. Deploy the configuration baseline to the appropriate device or device collection.
-
- 
-
-4. Select **OK**.
-
-## Step 7: Trigger the other devices to scan, download, and install updates
-
-Now that the other "production" or "in-store" devices have the necessary information to download updates from an internal share, the devices are ready for updates.
-
-### Update unmanaged devices
-
-If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways:
-
-- A periodic scan that the device automatically performs.
-- Manually through **Settings** > **Phone Update** > **Check for Updates**.
-
-### Update managed devices
-
-If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
-
-- Trigger the device to scan for updates through Microsoft Endpoint Configuration Manager.
-
- Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
-
- > [!NOTE]
- > Ensure that the PhoneUpdateRestriction Policy is set to a value of 0 so that the device doesn't perform an automatic scan.
-
-
-- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager.
-
-After the updates are installed, the IT Admin can use the DUReport generated in the production devices to determine whether the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
-
-
-## Example PowerShell script
-
-```powershell
-param (
-# [Parameter (Mandatory=$true, HelpMessage="Input File")]
- [String]$inputFile,
-
-# [Parameter (Mandatory=$true, HelpMessage="Download Cache Location")]
- [String]$downloadCache,
-
-# [Parameter (Mandatory=$true, HelpMessage="Local Cache URL")]
- [String]$localCacheURL
- )
-
-#DownloadFiles Function
-function DownloadFiles($inputFile, $downloadCache, $localCacheURL)
-{
- $customContentURIFileCreationError = "Not able to create Custom Content URI File"
-#Read the Input File
- $report = [xml](Get-Content $inputFile)
-
-# this is where the document will be saved
- $customContentURLFile = "$downloadCache\DUCustomContentUris.xml"
- New-Item -Path $customContentURLFile -ItemType File -force -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null
- if ($NewItemError -ne "")
- {
- PrintMessageAndExit $customContentURIFileCreationError
- }
-
-# get an XMLTextWriter to create the XML
- $XmlWriter = New-Object System.XMl.XmlTextWriter($customContentURLFile,$Null)
-
-# choose a pretty formatting:
- $xmlWriter.Formatting = 'Indented'
- $xmlWriter.Indentation = 1
- $XmlWriter.IndentChar = "`t"
-
-# write the header
- $xmlWriter.WriteStartDocument()
- $xmlWriter.WriteStartElement('CustomContentUrls')
- foreach ($update in $report.UpdateData.coreUpdateMetadata.updateSet.update)
- {
- if (!$update.destinationFilePath -or !$update.contentUrl)
- {
- continue;
- }
-
- $destFilePath = $update.destinationFilePath.Trim();
- $contentUrl = $update.contentUrl.Trim();
-
- Write-Host "Pre-Processing Line: $destFilePath#$contentUrl"
- if (($destFilePath -ne "") -and ($destFilePath.Contains("\")) -and ($contentUrl -ne "") -and ($contentUrl.Contains("/")) )
- {
- $isBundle = $update.isBundle
- $revisionId = $update.revisionId
- $updateId = $update.updateId
- $revisionNum = $update.revisionNum
-
- $fileName = $destFilePath.Substring($destFilePath.LastIndexOf("\") + 1);
-#Write-Host "Processing Line: $destFilePath#$contentUrl"
- if ($fileName -ne "")
- {
- $destination = $downloadCache + "\" + $fileName;
- Try
- {
- $wc = New-Object System.Net.WebClient
- $wc.DownloadFile($contentUrl, $destination)
- Write-Host "Successfull Download: $contentUrl#$destination";
-
- $XmlWriter.WriteStartElement('contentUrl')
- $XmlWriter.WriteAttributeString('isBundle', $isBundle)
- $XmlWriter.WriteAttributeString('revisionId', $revisionId)
- $XmlWriter.WriteAttributeString('updateId', $updateId)
- $XmlWriter.WriteAttributeString('revisionNum', $revisionNum)
- $XmlWriter.WriteRaw($localCacheURL + $fileName)
- $xmlWriter.WriteEndElement()
- }
- Catch [ArgumentNullException]
- {
- Write-Host "Content URL is null";
- }
- Catch [WebException]
- {
- Write-Host "Invalid Content URL: $contentUrl";
- }
- Catch
- {
- Write-Host "Exception in Download: $contentUrl";
- }
- }
- else
- {
- Write-Host "Ignored Input Line: $contentUrl"
- }
- }
- else
- {
- Write-Host "Ignored Input Line: $contentUrl"
- }
- }
-
-# close the "CustomContentUrls" node
- $xmlWriter.WriteEndElement()
-
-# finalize the document
- $xmlWriter.WriteEndDocument()
- $xmlWriter.Flush()
- $xmlWriter.Close()
-
- Write-Host "Successfully Created Custom Content URL File: $customContentURLFile"
-}
-
-#PrintMessage Function
-function PrintMessageAndExit($ErrorMessage)
-{
- Write-Host $ErrorMessage
- exit 1
-}
-
-#PrintMessage Function
-function PrintUsageAndExit()
-{
- Write-Host "Usage: Download.ps1 -inputFile -downloadCache -localCacheURL "
- exit 1
-}
-
-if (($inputFile -eq "") -or ($downloadCache -eq "") -or ($localCacheURL -eq ""))
-{
- PrintUsageAndExit
-}
-if (!$localCacheURL.EndsWith("/"))
-{
- $localCacheURL = $localCacheURL + "/";
-}
-$inputFileErrorString = "Input File does not exist";
-$downloadCacheErrorString = "Download Cache does not exist";
-$downloadCacheAddError = "Access Denied in creating the Download Cache Folder";
-$downloadCacheRemoveError = "Not able to delete files from Download Cache"
-$downloadCacheClearWarningString = "Download Cache not empty. Do you want to Clear";
-
-#Check if Input File Exist
-$inputFileExists = Test-Path $inputFile;
-if(!$inputFileExists)
-{
- PrintMessageAndExit($inputFileErrorString)
-}
-
-#Check if Download Cache Exist
-$downloadCacheExists = Test-Path $downloadCache;
-if(!$downloadCacheExists)
-{
- PrintMessageAndExit($downloadCacheErrorString)
-}
-
-$downloadCacheFileCount = (Get-ChildItem $downloadCache).Length;
-if ($downloadCacheFileCount -ne 0)
-{
-#Clear the directory
- Remove-Item $downloadCache -Recurse -Force -Confirm -ErrorVariable RemoveItemError -ErrorAction SilentlyContinue > $null
- if ($RemoveItemError -ne "")
- {
- PrintMessageAndExit $downloadCacheRemoveError
- }
-
- $childItem = Get-ChildItem $downloadCache -ErrorAction SilentlyContinue > $null
- $downloadCacheFileCount = ($childItem).Length;
- if ($downloadCacheFileCount -ne 0)
- {
- PrintMessageAndExit $downloadCacheRemoveError
- }
-
-#Create a new directory
- New-Item -Path $downloadCache -ItemType Directory -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null
- if ($NewItemError -ne "")
- {
- PrintMessageAndExit $downloadCacheAddError
- }
-}
-
-DownloadFiles $inputFile $downloadCache $localCacheURL
-```
-
-
-## Retrieve a device update report using Microsoft Endpoint Manager logs
-
-**For pre-GDR1 devices**
-Use this procedure for pre-GDR1 devices:
-
-1. Trigger a device scan by going to **Settings** > **Phone Update** > **Check for Updates**.
-
- Since the DUReport settings have not been remedied, you should see a non-compliance.
-2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
-3. Select **Create Configuration Item**.
-
- 
-4. Enter a filename (such as GetDUReport), and then select **Mobile Device**.
-5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
-
- 
-6. On the **Additional Settings** page, select **Add**.
-
- 
-7. On the **Browse Settings** page, select **Create Setting**.
-
- 
-8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
-9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
-
- 
-10. On the **Browse Settings** page, select **Close**.
-11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
-
- 
-12. Close the **Create Configuration Item Wizard** page.
-13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
-14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
-15. Enter a dummy value (such as zzz) that is different from the one on the device.
-
- 
-16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
-17. Select **OK** to close the **Edit Rule** page.
-18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
-19. Select **Create Configuration Item**.
-
- 
-20. Enter a baseline name (such as RetrieveDUReport).
-21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
-
- 
-22. Select **OK**, and then select **OK** again to complete the configuration baseline.
-23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
-
- 
-24. Select **Remediate noncompliant rules when supported**.
-25. Select the appropriate device collection and define the schedule.
-
- 
-26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
-27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
-28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
-
- 
-29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
-
- 
-30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
-31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index c9f13235e0..4dfc661666 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -5,8 +5,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
-ms.date: 06/02/2021
+author: dansimp
+ms.date: 10/14/2021
ms.reviewer:
manager: dansimp
---
@@ -214,7 +214,7 @@ Requirements:
If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain.
-6. Wait for the SYSVOL DFSR replication to be completed and then restart the Domain Controller for the policy to be available.
+6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
This procedure will work for any future version as well.
@@ -289,6 +289,10 @@ To collect Event Viewer logs:
- [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11))
- [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11))
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
+- [Getting started with Cloud Native Windows Endpoints](https://docs.microsoft.com/mem/cloud-native-windows-endpoints)
+- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
+- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)
+
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index c29e2047ad..9397684167 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -1,6 +1,6 @@
---
title: Enterprise app management
-description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
+description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99
ms.reviewer:
manager: dansimp
@@ -8,13 +8,13 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
-ms.date: 09/22/2017
+author: dansimp
+ms.date: 10/04/2021
---
# Enterprise app management
-This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. It is the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
+This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps.
## Application management goals
@@ -26,32 +26,129 @@ Windows 10 offers the ability for management servers to:
- Inventory all apps for a user (Store and non-Store apps)
- Inventory all apps for a device (Store and non-Store apps)
- Uninstall all apps for a user (Store and non-Store apps)
-- Provision apps so they are installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
+- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Remove the provisioned app on the device running Windows 10 for desktop editions
## Inventory your apps
-Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications:
+Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
-- nonStore - Apps that were not acquired from the Microsoft Store.
-- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
+- nonStore - Apps that weren't acquired from the Microsoft Store.
+- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
-The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
+The following information shows the EnterpriseModernAppManagement CSP in a tree format:
-
+```console
+./Device/Vendor/MSFT
+or
+./User/Vendor/MSFT
+EnterpriseAppManagement
+----AppManagement
+--------UpdateScan
+--------LastScanError
+--------AppInventoryResults
+--------AppInventoryQuery
+--------RemovePackage
+--------AppStore
+----------PackageFamilyName
+------------PackageFullName
+--------------Name
+--------------Version
+--------------Publisher
+--------------Architecture
+--------------InstallLocation
+--------------IsFramework
+--------------IsBundle
+--------------InstallDate
+--------------ResourceID
+--------------RequiresReinstall
+--------------PackageStatus
+--------------Users
+--------------IsProvisioned
+--------------IsStub
+------------DoNotUpdate
+------------AppSettingPolicy
+--------------SettingValue
+------------MaintainProcessorArchitectureOnUpdate
+------------NonRemovable
+----------ReleaseManagement
+------------ReleaseManagementKey
+--------------ChannelId
+--------------ReleaseId
+--------------EffectiveRelease
+-----------------ChannelId
+-----------------ReleaseId
+--------nonStore
+----------PackageFamilyName
+------------PackageFullName
+--------------Name
+--------------Version
+--------------Publisher
+--------------Architecture
+--------------InstallLocation
+--------------IsFramework
+--------------IsBundle
+--------------InstallDate
+--------------ResourceID
+--------------RequiresReinstall
+--------------PackageStatus
+--------------Users
+--------------IsProvisioned
+--------------IsStub
+------------DoNotUpdate
+------------AppSettingPolicy
+--------------SettingValue
+------------MaintainProcessorArchitectureOnUpdate
+------------NonRemoveable
+--------System
+----------PackageFamilyName
+------------PackageFullName
+--------------Name
+--------------Version
+--------------Publisher
+--------------Architecture
+--------------InstallLocation
+--------------IsFramework
+--------------IsBundle
+--------------InstallDate
+--------------ResourceID
+--------------RequiresReinstall
+--------------PackageStatus
+--------------Users
+--------------IsProvisioned
+--------------IsStub
+------------DoNotUpdate
+------------AppSettingPolicy
+--------------SettingValue
+------------MaintainProcessorArchitectureOnUpdate
+------------NonRemoveable
+----AppInstallation
+--------PackageFamilyName
+----------StoreInstall
+----------HostedInstall
+----------LastError
+----------LastErrorDesc
+----------Status
+----------ProgressStatus
+----AppLicenses
+--------StoreLicenses
+----------LicenseID
+------------LicenseCategory
+------------LicenseUsage
+------------RequesterID
+------------AddLicense
+------------GetLicenseFromStore
+```
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
-Inventory can be performed recursively at any level from the AppManagement node through the package full name. Inventory can also be performed only for a specific inventory attribute.
+Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute.
Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name.
-> **Note** On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name.
-
-
Here are the nodes for each package full name:
- Name
@@ -72,11 +169,11 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](
### App inventory
-You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
+You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
-Note that performing a full inventory of a device can be resource intensive on the client based on the hardware and number of apps that are installed. The data returned can also be very large. You may want to chunk these requests to reduce the impact to clients and network traffic.
+Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic.
-Here is an example of a query for all apps on the device.
+Here's an example of a query for all apps on the device.
```xml
@@ -90,7 +187,7 @@ Here is an example of a query for all apps on the device.
```
-Here is an example of a query for a specific app for a user.
+Here's an example of a query for a specific app for a user.
```xml
@@ -106,7 +203,7 @@ Here is an example of a query for a specific app for a user.
### Store license inventory
-You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device.
+You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
Here are the nodes for each license ID:
@@ -116,10 +213,10 @@ Here are the nodes for each license ID:
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
-> **Note** The LicenseID in the CSP is the content ID for the license.
+> [!NOTE]
+> The LicenseID in the CSP is the content ID for the license.
-
-Here is an example of a query for all app licenses on a device.
+Here's an example of a query for all app licenses on a device.
```xml
@@ -133,7 +230,7 @@ Here is an example of a query for all app licenses on a device.
```
-Here is an example of a query for all app licenses for a user.
+Here's an example of a query for all app licenses for a user.
```xml
@@ -149,13 +246,13 @@ Here is an example of a query for all app licenses for a user.
## Enable the device to install non-Store apps
-There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
+There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
### Unlock the device for non-Store apps
-To deploy app that are not from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
+To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
-The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
+The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
@@ -191,13 +288,13 @@ Here are some examples.
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
-AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
+AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
-Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device.
+Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
-Here is an example.
+Here's an example.
```xml
@@ -227,20 +324,20 @@ Here is an example.
## Install your apps
-You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
+You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
-To deploy an app to a user directly from the Microsoft Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
+To deploy an app to a user directly from the Microsoft Store, the management server runs an Add and Exec command on the AppInstallation node of the EnterpriseModernAppManagement CSP. This feature is only supported in the user context, and not supported in the device context.
-If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Microsoft Store.
+If you purchased an app from the Store for Business and the app is specified for an online license, then the app and license must be acquired directly from the Microsoft Store.
Here are the requirements for this scenario:
-- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server.
+- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
- The device requires connectivity to the Microsoft Store.
-- Microsoft Store services must be enabled on the device. Note that the UI for the Microsoft Store can be disabled by the enterprise admin.
-- The user must be signed in with their AAD identity.
+- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
+- The user must be signed in with their Azure AD identity.
Here are some examples.
@@ -264,9 +361,9 @@ Here are the changes from the previous release:
1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool.
2. The value for flags can be "0" or "1"
- When using "0" the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1" the management tool does not call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
+ When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
-3. The skuid is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
+3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
@@ -276,10 +373,10 @@ The app license only needs to be deployed as part of the initial installation of
In the SyncML, you need to specify the following information in the Exec command:
-- License ID - This is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
-- License Content - This is specified in the data section. The License Content is the Base64 encoded blob of the license.
+- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
+- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
-Here is an example of an offline license installation.
+Here's an example of an offline license installation.
```xml
@@ -305,15 +402,15 @@ Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled.
-- The user must be logged in, but association with AAD identity is not required.
+- The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
+- The user must be logged in, but association with Azure AD identity isn't required.
-> **Note** You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
+> [!NOTE]
+> You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
-
The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
-Here is an example of a line-of-business app installation.
+Here's an example of a line-of-business app installation.
```xml
@@ -340,7 +437,7 @@ Here is an example of a line-of-business app installation.
```
-Here is an example of an app installation with dependencies.
+Here's an example of an app installation with dependencies.
```xml
@@ -374,7 +471,7 @@ Here is an example of an app installation with dependencies.
```
-Here is an example of an app installation with dependencies and optional packages.
+Here's an example of an app installation with dependencies and optional packages.
```xml
@@ -416,27 +513,26 @@ Here is an example of an app installation with dependencies and optional package
### Provision apps for all users of a device
-Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This is only supported for app purchased from the Store for Business and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
+Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Microsoft Store, or store services enabled.
-- The device does not need any AAD identity or domain membership.
+- The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
+- The device doesn't need any Azure AD identity or domain membership.
- For nonStore app, your device must be unlocked.
-- For Store offline apps, the required licenses must be deployed prior to deploying the apps.
+- For Store offline apps, the required licenses must be deployed before deploying the apps.
-To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
+To provision app for all users of a device from a hosted location, the management server runs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment.
-> **Note** When you remove the provisioned app, it will not remove it from the users that already installed the app.
+> [!NOTE]
+> When you remove the provisioned app, it will not remove it from the users that already installed the app.
-
-
-Here is an example of app installation.
-
-> **Note** This is only supported in Windows 10 for desktop editions.
+Here's an example of app installation.
+> [!NOTE]
+> This is only supported in Windows 10 for desktop editions.
```xml
@@ -465,15 +561,15 @@ Here is an example of app installation.
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
-- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPs location.
+- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
- Dependencies can be specified if required to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
-Here is an example of app installation with dependencies.
-
-> **Note** This is only supported in Windows 10 for desktop editions.
+Here's an example of app installation with dependencies.
+> [!NOTE]
+> This is only supported in Windows 10 for desktop editions.
```xml
@@ -509,22 +605,22 @@ Here is an example of app installation with dependencies.
### Get status of app installations
-When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here is the list of information you can get back in the query:
+When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query:
- Status - indicates the status of app installation.
- - NOT\_INSTALLED (0) - The node was added, but the execution was not completed.
- - INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of suceess this value is updated.
+ - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
+ - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- - INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up actio has not completed, this state may briefly appear.
-- LastError - This is the last error reported by the app deployment server.
+ - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
+- LastError - The last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
-- Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress.
+- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress.
- Status is not available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
+ Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node.
-Here is an example of a query for a specific app installation.
+Here's an example of a query for a specific app installation.
```xml
@@ -538,7 +634,7 @@ Here is an example of a query for a specific app installation.
```
-Here is an example of a query for all app installations.
+Here's an example of a query for all app installations.
```xml
@@ -554,9 +650,9 @@ Here is an example of a query for all app installations.
### Alert for installation completion
-Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
+Application installations can take some time to complete. So, they're done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
-Here is an example of an alert.
+Here's an example of an alert.
```xml
@@ -577,9 +673,10 @@ Here is an example of an alert.
For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path.
-The Data field value of 0 (zero) indicates sucess, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node.
+The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node.
-> **Note** At this time, the alert for Store app installation is not yet available.
+> [!NOTE]
+> At this time, the alert for Store app installation isn't yet available.
## Uninstall your apps
@@ -587,12 +684,12 @@ The Data field value of 0 (zero) indicates sucess, otherwise it is an error code
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
-- nonStore - These apps that were not acquired from the Microsoft Store.
-- System - These apps are part of the OS. You cannot uninstall these apps.
+- nonStore - These apps that weren't acquired from the Microsoft Store.
+- System - These apps are part of the OS. You can't uninstall these apps.
-To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family nane and package full name.
+To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name.
-Here is an example for uninstalling all versions of an app for a user.
+Here's an example for uninstalling all versions of an app for a user.
```xml
@@ -606,7 +703,7 @@ Here is an example for uninstalling all versions of an app for a user.
```
-Here is an example for uninstalling a specific version of the app for a user.
+Here's an example for uninstalling a specific version of the app for a user.
```xml
@@ -622,14 +719,15 @@ Here is an example for uninstalling a specific version of the app for a user.
### Removed provisioned apps from a device
-You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users.
+You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them will continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users.
-> **Note** You can only remove an app that has an inventory value IsProvisioned = 1.
+> [!NOTE]
+> You can only remove an app that has an inventory value IsProvisioned = 1.
Removing provisioned app occurs in the device context.
-Here is an example for removing a provisioned app from a device.
+Here's an example for removing a provisioned app from a device.
```xml
@@ -643,7 +741,7 @@ Here is an example for removing a provisioned app from a device.
```
-Here is an example for removing a specific version of a provisioned app from a device:
+Here's an example for removing a specific version of a provisioned app from a device:
```xml
@@ -661,7 +759,7 @@ Here is an example for removing a specific version of a provisioned app from a d
You can remove app licenses from a device per app based on the content ID.
-Here is an example for removing an app license for a user.
+Here's an example for removing an app license for a user.
```xml
@@ -675,7 +773,7 @@ Here is an example for removing an app license for a user.
```
-Here is an example for removing an app license for a provisioned package (device context).
+Here's an example for removing an app license for a provisioned package (device context).
```xml
@@ -691,11 +789,11 @@ Here is an example for removing an app license for a provisioned package (device
### Alert for app uninstallation
-Uninstallation of an app can take some time complete, hence the uninstallation is performed asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
+Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success.
For user-based uninstallation, use ./User in the LocURI, and for provisioning, use ./Device in the LocURI.
-Here is an example. There is only one uninstall for hosted and store apps.
+Here's an example. There's only one uninstall for hosted and store apps.
```xml
@@ -721,7 +819,7 @@ Apps installed on a device can be updated using the management server. Apps can
To update an app from Microsoft Store, the device requires contact with the store services.
-Here is an example of an update scan.
+Here's an example of an update scan.
```xml
@@ -735,7 +833,7 @@ Here is an example of an update scan.
```
-Here is an example of a status check.
+Here's an example of a status check.
```xml
@@ -753,18 +851,17 @@ Here is an example of a status check.
Updating an existing app follows the same process as an initial installation. For more information, see [Deploy apps to a user from a hosted location](#deploy-apps-to-a-user-from-a-hosted-location).
-
### Update provisioned apps
A provisioned app automatically updates when an app update is sent to the user. You can also update a provisioned app using the same process as an initial provisioning. For more information about initial provisioning, see [Provision apps for all users of a device](#provision-apps-for-all-users-of-a-device).
### Prevent app from automatic updates
-You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
+You can prevent specific apps from being automatically updated. This feature allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
-Turning off updates only applies to updates from the Microsoft Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
+Turning off updates only applies to updates from the Microsoft Store at the device level. This feature isn't available at a user level. You can still update an app if the offline packages are pushed from hosted install location.
-Here is an example.
+Here's an example.
```xml
@@ -782,96 +879,24 @@ Here is an example.
```
-## Additional app management scenarios
+## More app management scenarios
-The following subsections provide information about additional settings configurations.
-
-### Restrict app installation to the system volume
-
-You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md).
-
-> **Note** This is only supported in mobile devices.
-
-
-Here is an example.
-
-```xml
-
-
- 1
-
-
- ./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppToSystemVolume?list=StructData
-
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume
-
-
- int
- text/plain
-
- 1
-
-
-```
-
-### Restrict AppData to the system volume
-
-In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved.
-
-> **Note** The feature is only for Windows 10 Mobile.
-
-
-The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1.
-
-Here is an example.
-
-```xml
-
-
- 1
-
-
- ./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppDataToSystemVolume?list=StructData
-
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume
-
-
- int
- text/plain
-
- 1
-
-
-```
+The following subsections provide information about more settings configurations.
### Enable shared user app data
-The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device.
-
-> **Note** This is only applicable to multi-user devices.
+The Universal Windows app can share application data between the users of the device. The ability to share data can be set at a package family level or per device.
+> [!NOTE]
+> This is only applicable to multi-user devices.
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
-If you disable this policy, applications cannot share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there is any shared data, and /Remove-SharedAppxData to remove it).
+If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
The valid values are 0 (off, default value) and 1 (on).
-Here is an example.
+Here's an example.
```xml
@@ -898,11 +923,3 @@ Here is an example.
```
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
index 98249aad50..1910df9821 100644
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md
@@ -17,13 +17,40 @@ ms.date: 06/26/2017
The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment.
-> **Note** The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile.
+> [!NOTE]
+> The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile.
-The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
+The following shows the EnterpriseAppManagement configuration service provider in tree format.
-
+```console
+./Vendor/MSFT
+EnterpriseAppManagement
+----EnterpriseID
+--------EnrollmentToken
+--------StoreProductID
+--------StoreUri
+--------CertificateSearchCriteria
+--------Status
+--------CRLCheck
+--------EnterpriseApps
+------------Inventory
+----------------ProductID
+--------------------Version
+--------------------Title
+--------------------Publisher
+--------------------InstallDate
+------------Download
+----------------ProductID
+--------------------Version
+--------------------Name
+--------------------URL
+--------------------Status
+--------------------LastError
+--------------------LastErrorDesc
+--------------------DownloadInstall
+```
***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
@@ -55,7 +82,8 @@ Optional. The character string that contains the search criteria to search for t
Supported operations are Get and Add.
-> **Note** Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00
+> [!NOTE]
+> Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00
@@ -132,48 +160,16 @@ Supported operations are Get, Add, and Replace.
**/Download/*ProductID*/Status**
Required. The integer value that indicates the status of the current download process. The following table shows the possible values.
-
-
-
-
-
-
-
-
0: CONFIRM
-
Waiting for confirmation from user.
-
-
-
1: QUEUED
-
Waiting for download to start.
-
-
-
2: DOWNLOADING
-
In the process of downloading.
-
-
-
3: DOWNLOADED
-
Waiting for installation to start.
-
-
-
4: INSTALLING
-
Handed off for installation.
-
-
-
5: INSTALLED
-
Successfully installed
-
-
-
6: FAILED
-
Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)
-
-
-
7:DOWNLOAD_FAILED
-
Unable to connect to server, file doesn't exist, etc.
-
-
-
-
-
+|Value|Description|
+|--- |--- |
+|0: CONFIRM|Waiting for confirmation from user.|
+|1: QUEUED|Waiting for download to start.|
+|2: DOWNLOADING|In the process of downloading.|
+|3: DOWNLOADED|Waiting for installation to start.|
+|4: INSTALLING|Handed off for installation.|
+|5: INSTALLED|Successfully installed|
+|6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)|
+|7:DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.|
Scope is dynamic. Supported operations are Get, Add, and Replace.
@@ -437,10 +433,10 @@ Install or update the installed app with the product ID “{B316008A-141D-4A79-8
To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog.
-> **Note**
-> 1. If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
-
-2. The application product ID curly braces need to be escaped where { is %7B and } is %7D.
+> [!NOTE]
+> - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
+>
+> - The application product ID curly braces need to be escaped where { is %7B and } is %7D.
diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
index 271c1d69cb..db8f48e055 100644
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@@ -17,13 +17,14 @@ ms.date: 07/12/2017
The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings, such as language and themes, lock down a device, and configure custom layouts on a device. For example, the administrator can lock down a device so that only applications specified in an Allow list are available. Apps not on the Allow list remain installed on the device, but are hidden from view and blocked from launching.
-> **Note** The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
+> [!NOTE]
+> The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
-
-To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
+For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
-```
+
+```console
./Vendor/MSFT
EnterpriseAssignedAccess
----AssignedAccess
@@ -39,6 +40,7 @@ EnterpriseAssignedAccess
----Locale
--------Language
```
+
The following list shows the characteristics and parameters.
**./Vendor/MSFT/EnterpriseAssignedAccess/**
@@ -632,110 +634,30 @@ Supported operations are Get and Replace.
**Theme/ThemeAccentColorID**
The accent color to apply as the foreground color for tiles, controls, and other visual elements on the device. The following table shows the possible values.
-
-
-
-
-
-
-
-
Value
-
Description
-
-
-
-
-
0
-
Lime
-
-
-
1
-
Green
-
-
-
2
-
Emerald
-
-
-
3
-
Teal (Viridian)
-
-
-
4
-
Cyan (Blue)
-
-
-
5
-
Cobalt
-
-
-
6
-
Indigo
-
-
-
7
-
Violet (Purple)
-
-
-
8
-
Pink
-
-
-
9
-
Magenta
-
-
-
10
-
Crimson
-
-
-
11
-
Red
-
-
-
12
-
Orange (Mango)
-
-
-
13
-
Amber
-
-
-
14
-
Yellow
-
-
-
15
-
Brown
-
-
-
16
-
Olive
-
-
-
17
-
Steel
-
-
-
18
-
Mauve
-
-
-
19
-
Sienna
-
-
-
101 through 104
-
Optional colors, as defined by the OEM
-
-
-
151
-
Custom accent color for Enterprise
-
-
-
-
-
+|Value|Description|
+|--- |--- |
+|0|Lime|
+|1|Green|
+|2|Emerald|
+|3|Teal (Viridian)|
+|4|Cyan (Blue)|
+|5|Cobalt|
+|6|Indigo|
+|7|Violet (Purple)|
+|8|Pink|
+|9|Magenta|
+|10|Crimson|
+|11|Red|
+|12|Orange (Mango)|
+|13|Amber|
+|14|Yellow|
+|15|Brown|
+|16|Olive|
+|17|Steel|
+|18|Mauve|
+|19|Sienna|
+|101 through 104|Optional colors, as defined by the OEM|
+|151|Custom accent color for Enterprise|
Supported operations are Get and Replace.
@@ -759,440 +681,119 @@ An integer that specifies the time zone of the device. The following table shows
Supported operations are Get and Replace.
-
-
-
-
-
-
-
-
Value
-
Time zone
-
-
-
-
-
0
-
UTC-12 International Date Line West
-
-
-
100
-
UTC+13 Samoa
-
-
-
110
-
UTC-11 Coordinated Universal Time-11
-
-
-
200
-
UTC-10 Hawaii
-
-
-
300
-
UTC-09 Alaska
-
-
-
400
-
UTC-08 Pacific Time (US & Canada)
-
-
-
410
-
UTC-08 Baja California
-
-
-
500
-
UTC-07 Mountain Time (US & Canada)
-
-
-
510
-
UTC-07 Chihuahua, La Paz, Mazatlan
-
-
-
520
-
UTC-07 Arizona
-
-
-
600
-
UTC-06 Saskatchewan
-
-
-
610
-
UTC-06 Central America
-
-
-
620
-
UTC-06 Central Time (US & Canada)
-
-
-
630
-
UTC-06 Guadalajara, Mexico City, Monterrey
-
-
-
700
-
UTC-05 Eastern Time (US & Canada)
-
-
-
710
-
UTC-05 Bogota, Lima, Quito
-
-
-
720
-
UTC-05 Indiana (East)
-
-
-
800
-
UTC-04 Atlantic Time (Canada)
-
-
-
810
-
UTC-04 Cuiaba
-
-
-
820
-
UTC-04 Santiago
-
-
-
830
-
UTC-04 Georgetown, La Paz, Manaus, San Juan
-
-
-
840
-
UTC-04 Caracas
-
-
-
850
-
UTC-04 Asuncion
-
-
-
900
-
UTC-03:30 Newfoundland
-
-
-
910
-
UTC-03 Brasilia
-
-
-
920
-
UTC-03 Greenland
-
-
-
930
-
UTC-03 Montevideo
-
-
-
940
-
UTC-03 Cayenne, Fortaleza
-
-
-
950
-
UTC-03 Buenos Aires
-
-
-
960
-
UTC-03 Salvador
-
-
-
1000
-
UTC-02 Mid-Atlantic
-
-
-
1010
-
UTC-02 Coordinated Universal Time-02
-
-
-
1100
-
UTC-01 Azores
-
-
-
1110
-
UTC-01 Cabo Verde
-
-
-
1200
-
UTC Dublin, Edinburgh, Lisbon, London
-
-
-
1210
-
UTC Monrovia, Reykjavik
-
-
-
1220
-
UTC Casablanca
-
-
-
1230
-
UTC Coordinated Universal Time
-
-
-
1300
-
UTC+01 Belgrade, Bratislava, Budapest, Ljubljana, Prague
-
-
-
1310
-
UTC+01 Sarajevo, Skopje, Warsaw, Zagreb
-
-
-
1320
-
UTC+01 Brussels, Copenhagen, Madrid, Paris
-
-
-
1330
-
UTC+01 West Central Africa
-
-
-
1340
-
UTC+01 Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
-
-
-
1350
-
UTC+01 Windhoek
-
-
-
1360
-
UTC+01 Tripoli
-
-
-
1400
-
UTC+02 E. Europe
-
-
-
1410
-
UTC+02 Cairo
-
-
-
1420
-
UTC+02 Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius
-
-
-
1430
-
UTC+02 Athens, Bucharest
-
-
-
1440
-
UTC+02 Jerusalem
-
-
-
1450
-
UTC+02 Amman
-
-
-
1460
-
UTC+02 Beirut
-
-
-
1470
-
UTC+02 Harare, Pretoria
-
-
-
1480
-
UTC+02 Damascus
-
-
-
1490
-
UTC+02 Istanbul
-
-
-
1500
-
UTC+03 Kuwait, Riyadh
-
-
-
1510
-
UTC+03 Baghdad
-
-
-
1520
-
UTC+03 Nairobi
-
-
-
1530
-
UTC+03 Kaliningrad, Minsk
-
-
-
1540
-
UTC+04 Moscow, St. Petersburg, Volgograd
-
-
-
1550
-
UTC+03 Tehran
-
-
-
1600
-
UTC+04 Abu Dhabi, Muscat
-
-
-
1610
-
UTC+04 Baku
-
-
-
1620
-
UTC+04 Yerevan
-
-
-
1630
-
UTC+04 Kabul
-
-
-
1640
-
UTC+04 Tbilisi
-
-
-
1650
-
UTC+04 Port Louis
-
-
-
1700
-
UTC+06 Ekaterinburg
-
-
-
1710
-
UTC+05 Tashkent
-
-
-
1720
-
UTC+05 Chennai, Kolkata, Mumbai, New Delhi
-
-
-
1730
-
UTC+05 Sri Jayawardenepura
-
-
-
1740
-
UTC+05 Kathmandu
-
-
-
1750
-
UTC+05 Islamabad, Karachi
-
-
-
1800
-
UTC+06 Astana
-
-
-
1810
-
UTC+07 Novosibirsk
-
-
-
1820
-
UTC+06 Yangon (Rangoon)
-
-
-
1830
-
UTC+06 Dhaka
-
-
-
1900
-
UTC+08 Krasnoyarsk
-
-
-
1910
-
UTC+07 Bangkok, Hanoi, Jakarta
-
-
-
1900
-
UTC+08 Krasnoyarsk
-
-
-
2000
-
UTC+08 Beijing, Chongqing, Hong Kong SAR, Urumqi
-
-
-
2010
-
UTC+09 Irkutsk
-
-
-
2020
-
UTC+08 Kuala Lumpur, Singapore
-
-
-
2030
-
UTC+08 Taipei
-
-
-
2040
-
UTC+08 Perth
-
-
-
2050
-
UTC+08 Ulaanbaatar
-
-
-
2100
-
UTC+09 Seoul
-
-
-
2110
-
UTC+09 Osaka, Sapporo, Tokyo
-
-
-
2120
-
UTC+10 Yakutsk
-
-
-
2130
-
UTC+09 Darwin
-
-
-
2140
-
UTC+09 Adelaide
-
-
-
2200
-
UTC+10 Canberra, Melbourne, Sydney
-
-
-
2210
-
UTC+10 Brisbane
-
-
-
2220
-
UTC+10 Hobart
-
-
-
2230
-
UTC+11 Vladivostok
-
-
-
2240
-
UTC+10 Guam, Port Moresby
-
-
-
2300
-
UTC+11 Solomon Is., New Caledonia
-
-
-
2310
-
UTC+12 Magadan
-
-
-
2400
-
UTC+12 Fiji
-
-
-
2410
-
UTC+12 Auckland, Wellington
-
-
-
2420
-
UTC+12 Petropavlovsk-Kamchatsky
-
-
-
2430
-
UTC+12 Coordinated Universal Time +12
-
-
-
2500
-
UTC+13 Nuku'alofa
-
-
-
-
+|Value|Time zone|
+|--- |--- |
+|0|UTC-12 International Date Line West|
+|100|UTC+13 Samoa|
+|110|UTC-11 Coordinated Universal Time-11|
+|200|UTC-10 Hawaii|
+|300|UTC-09 Alaska|
+|400|UTC-08 Pacific Time (US & Canada)|
+|410|UTC-08 Baja California|
+|500|UTC-07 Mountain Time (US & Canada)|
+|510|UTC-07 Chihuahua, La Paz, Mazatlan|
+|520|UTC-07 Arizona|
+|600|UTC-06 Saskatchewan|
+|610|UTC-06 Central America|
+|620|UTC-06 Central Time (US & Canada)|
+|630|UTC-06 Guadalajara, Mexico City, Monterrey|
+|700|UTC-05 Eastern Time (US & Canada)|
+|710|UTC-05 Bogota, Lima, Quito|
+|720|UTC-05 Indiana (East)|
+|800|UTC-04 Atlantic Time (Canada)|
+|810|UTC-04 Cuiaba|
+|820|UTC-04 Santiago|
+|830|UTC-04 Georgetown, La Paz, Manaus, San Juan|
+|840|UTC-04 Caracas|
+|850|UTC-04 Asuncion|
+|900|UTC-03:30 Newfoundland|
+|910|UTC-03 Brasilia|
+|920|UTC-03 Greenland|
+|930|UTC-03 Montevideo|
+|940|UTC-03 Cayenne, Fortaleza|
+|950|UTC-03 Buenos Aires|
+|960|UTC-03 Salvador|
+|1000|UTC-02 Mid-Atlantic|
+|1010|UTC-02 Coordinated Universal Time-02|
+|1100|UTC-01 Azores|
+|1110|UTC-01 Cabo Verde|
+|1200|UTC Dublin, Edinburgh, Lisbon, London|
+|1210|UTC Monrovia, Reykjavik|
+|1220|UTC Casablanca|
+|1230|UTC Coordinated Universal Time|
+|1300|UTC+01 Belgrade, Bratislava, Budapest, Ljubljana, Prague|
+|1310|UTC+01 Sarajevo, Skopje, Warsaw, Zagreb|
+|1320|UTC+01 Brussels, Copenhagen, Madrid, Paris|
+|1330|UTC+01 West Central Africa|
+|1340|UTC+01 Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna|
+|1350|UTC+01 Windhoek|
+|1360|UTC+01 Tripoli|
+|1400|UTC+02 E. Europe|
+|1410|UTC+02 Cairo|
+|1420|UTC+02 Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius|
+|1430|UTC+02 Athens, Bucharest|
+|1440|UTC+02 Jerusalem|
+|1450|UTC+02 Amman|
+|1460|UTC+02 Beirut|
+|1470|UTC+02 Harare, Pretoria|
+|1480|UTC+02 Damascus|
+|1490|UTC+02 Istanbul|
+|1500|UTC+03 Kuwait, Riyadh|
+|1510|UTC+03 Baghdad|
+|1520|UTC+03 Nairobi|
+|1530|UTC+03 Kaliningrad, Minsk|
+|1540|UTC+04 Moscow, St. Petersburg, Volgograd|
+|1550|UTC+03 Tehran|
+|1600|UTC+04 Abu Dhabi, Muscat|
+|1610|UTC+04 Baku|
+|1620|UTC+04 Yerevan|
+|1630|UTC+04 Kabul|
+|1640|UTC+04 Tbilisi|
+|1650|UTC+04 Port Louis|
+|1700|UTC+06 Ekaterinburg|
+|1710|UTC+05 Tashkent|
+|1720|UTC+05 Chennai, Kolkata, Mumbai, New Delhi|
+|1730|UTC+05 Sri Jayawardenepura|
+|1740|UTC+05 Kathmandu|
+|1750|UTC+05 Islamabad, Karachi|
+|1800|UTC+06 Astana|
+|1810|UTC+07 Novosibirsk|
+|1820|UTC+06 Yangon (Rangoon)|
+|1830|UTC+06 Dhaka|
+|1900|UTC+08 Krasnoyarsk|
+|1910|UTC+07 Bangkok, Hanoi, Jakarta|
+|1900|UTC+08 Krasnoyarsk|
+|2000|UTC+08 Beijing, Chongqing, Hong Kong SAR, Urumqi|
+|2010|UTC+09 Irkutsk|
+|2020|UTC+08 Kuala Lumpur, Singapore|
+|2030|UTC+08 Taipei|
+|2040|UTC+08 Perth|
+|2050|UTC+08 Ulaanbaatar|
+|2100|UTC+09 Seoul|
+|2110|UTC+09 Osaka, Sapporo, Tokyo|
+|2120|UTC+10 Yakutsk|
+|2130|UTC+09 Darwin|
+|2140|UTC+09 Adelaide|
+|2200|UTC+10 Canberra, Melbourne, Sydney|
+|2210|UTC+10 Brisbane|
+|2220|UTC+10 Hobart|
+|2230|UTC+11 Vladivostok|
+|2240|UTC+10 Guam, Port Moresby|
+|2300|UTC+11 Solomon Is., New Caledonia|
+|2310|UTC+12 Magadan|
+|2400|UTC+12 Fiji|
+|2410|UTC+12 Auckland, Wellington|
+|2420|UTC+12 Petropavlovsk-Kamchatsky|
+|2430|UTC+12 Coordinated Universal Time +12|
+|2500|UTC+13 Nuku'alofa|
**Locale/Language/**
The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c).
The language setting is configured in the Default User profile only.
-> **Note** Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required.
+> [!NOTE]
+> Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required.
Supported operations are Get and Replace.
@@ -1201,7 +802,8 @@ Supported operations are Get and Replace.
The XML examples in this section show how to perform various tasks by using OMA client provisioning.
-> **Note** These examples are XML snippets and do not include all sections that are required for a complete lockdown XML file.
+> [!NOTE]
+> These examples are XML snippets and do not include all sections that are required for a complete lockdown XML file.
@@ -1470,212 +1072,45 @@ The following example shows how to set the language.
## Product IDs in Windows 10 Mobile
-
The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile.
-
\ No newline at end of file
+|App|Product ID|AUMID|
+|--- |--- |--- |
+|Alarms and clock|44F7D2B4-553D-4BEC-A8B7-634CE897ED5F|Microsoft.WindowsAlarms_8wekyb3d8bbwe!App|
+|Calculator|B58171C6-C70C-4266-A2E8-8F9C994F4456|Microsoft.WindowsCalculator_8wekyb3d8bbwe!App|
+|Camera|F0D8FEFD-31CD-43A1-A45A-D0276DB069F1|Microsoft.WindowsCamera_8wekyb3d8bbwe!App|
+|Contact Support|0DB5FCFF-4544-458A-B320-E352DFD9CA2B|Windows.ContactSupport_cw5n1h2txyewy!App|
+|Cortana|FD68DCF4-166F-4C55-A4CA-348020F71B94|Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI|
+|Excel|EAD3E7C0-FAE6-4603-8699-6A448138F4DC|Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel|
+|Facebook|82A23635-5BD9-DF11-A844-00237DE2DB9E|Microsoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e|
+|File Explorer|C5E2524A-EA46-4F67-841F-6A9465D9D515|c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App|
+|FM Radio|F725010E-455D-4C09-AC48-BCDEF0D4B626|N/A|
+|Get Started|B3726308-3D74-4A14-A84C-867C8C735C3C|Microsoft.Getstarted_8wekyb3d8bbwe!App|
+|Groove Music|D2B6A184-DA39-4C9A-9E0A-8B589B03DEC0|Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic|
+|Maps|ED27A07E-AF57-416B-BC0C-2596B622EF7D|Microsoft.WindowsMaps_8wekyb3d8bbwe!App|
+|Messaging|27E26F40-E031-48A6-B130-D1F20388991A|Microsoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax|
+|Microsoft Edge|395589FB-5884-4709-B9DF-F7D558663FFD|Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge|
+|Money|1E0440F1-7ABF-4B9A-863D-177970EEFB5E|Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance|
+|Movies and TV|6AFFE59E-0467-4701-851F-7AC026E21665|Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo|
+|News|9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1|Microsoft.BingNews_8wekyb3d8bbwe!AppexNews|
+|OneDrive|AD543082-80EC-45BB-AA02-FFE7F4182BA8|Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App|
+|OneNote|CA05B3AB-F157-450C-8C49-A1F127F5E71D|Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim|
+|Outlook Calendar|A558FEBA-85D7-4665-B5D8-A2FF9C19799B|Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar|
+|Outlook Mail|A558FEBA-85D7-4665-B5D8-A2FF9C19799B|Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail|
+|People|60BE1FB8-3291-4B21-BD39-2221AB166481|Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x|
+|Phone (dialer)|F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7|Microsoft.CommsPhone_8wekyb3d8bbwe!App|
+|Photos|FCA55E1B-B9A4-4289-882F-084EF4145005|Microsoft.Windows.Photos_8wekyb3d8bbwe!App|
+|Podcasts|C3215724-B279-4206-8C3E-61D1A9D63ED3|Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x|
+|PowerPoint|B50483C4-8046-4E1B-81BA-590B24935798|Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim|
+|Settings|2A4E62D8-8809-4787-89F8-69D0F01654FB|2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App|
+|Skype|C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51|Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId|
+|Skype Video|27E26F40-E031-48A6-B130-D1F20388991A|Microsoft.Messaging_8wekyb3d8bbwe!App|
+|Sports|0F4C8C7E-7114-4E1E-A84C-50664DB13B17|Microsoft.BingSports_8wekyb3d8bbwe!AppexSports|
+|Storage|5B04B775-356B-4AA0-AAF8-6491FFEA564D|N/A|
+|Store|7D47D89A-7900-47C5-93F2-46EB6D94C159|Microsoft.WindowsStore_8wekyb3d8bbwe!App|
+|Voice recorder|7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0|Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App|
+|Wallet|587A4577-7868-4745-A29E-F996203F1462|Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App|
+|Weather|63C2A117-8604-44E7-8CEF-DF10BE3A57C8|Microsoft.BingWeather_8wekyb3d8bbwe!App|
+|Windows Feedback|7604089D-D13F-4A2D-9998-33FC02B63CE3|Microsoft.WindowsFeedback_8wekyb3d8bbwe!App|
+|Word|258F115C-48F4-4ADB-9A68-1387E634459B|Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word|
+|Xbox|B806836F-EEBE-41C9-8669-19E243B81B83|Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp|
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 3b596b6652..07388f0b79 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -30,7 +30,8 @@ To learn more about WIP, see the following articles:
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
The following shows the EnterpriseDataProtection CSP in tree format.
-```
+
+```console
./Device/Vendor/MSFT
EnterpriseDataProtection
----Settings
@@ -45,6 +46,7 @@ EnterpriseDataProtection
--------EDPShowIcons
----Status
```
+
**./Device/Vendor/MSFT/EnterpriseDataProtection**
The root node for the CSP.
@@ -71,7 +73,6 @@ Changing the primary enterprise ID is not supported and may cause unexpected beh
> [!Note]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
-
Here are the steps to create canonical domain names:
@@ -111,7 +112,6 @@ The CSP checks the current edition and hardware support (TPM), and returns an er
> [!Note]
> This setting is only supported in Windows 10 Mobile.
-
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
@@ -124,7 +124,7 @@ Specifies a recovery certificate that can be used for data recovery of encrypted
DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
The binary blob is the serialized version of following structure:
-``` syntax
+```cpp
//
// Recovery Policy Data Structures
//
@@ -243,7 +243,6 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
EfsCertificate,
EfsCertificateThumbprint
} PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG;
-
```
For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.
@@ -300,36 +299,9 @@ A read-only bit mask that indicates the current state of WIP on the Device. The
Suggested values:
-
-
-
-
-
-
-
-
-
-
-
Reserved for future use
-
WIP mandatory settings
-
Set = 1
-
Not set = 0
-
Reserved for future use
-
AppLocker configured
-
Yes = 1
-
No = 0
-
WIP on = 1
-
WIP off = 0
-
-
-
4
-
3
-
2
-
1
-
0
-
-
-
+|Reserved for future use|WIP mandatory settings Set = 1 Not set = 0|Reserved for future use|AppLocker configured Yes = 1 No = 0|WIP on = 1 WIP off = 0|
+|--- |--- |--- |--- |--- |
+|4|3|2|1|0|
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index 78f0b5cb28..70beb72229 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -259,41 +259,12 @@ The following table describes the fields in the previous sample:
The following table describes the fields in the previous sample:
-
-
-
-
-
-
-
-
Name
-
Description
-
-
-
-
-
Add
-
This is required to precede the Exec command.
-
-
CmdID - Input value used to reference the request. Responses includes this value, which can be use to match the request and response.
-
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
-
-
-
-
Exec
-
The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
-
-
CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.
-
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
-
Data - The Data node contains an embedded XML, of type “MsiInstallJob”
-
MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).
-
-
-
+|Name|Description|
+|--- |--- |
+|Add|This is required to precede the Exec command.
CmdID - Input value used to reference the request. Responses includes this value, which can be use to match the request and response.
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.|
+|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.
LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
Data - The Data node contains an embedded XML, of type “MsiInstallJob”
MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).|
-
-
> [!Note]
> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
@@ -353,70 +324,20 @@ The following table describes the fields in the previous sample:
The following table MsiInstallJob describes the schema elements.
-
-
-
-
-
-
-
-
Element
-
Description
-
-
-
-
-
MsiInstallJob
-
root element
-
"Attribute: "id - the application identifier of the application being installed
-
-
-
Product
-
child element of MsiInstallJob
-
Attribute: “Version” – string representation of application version
-
-
-
Download
-
child element of Product. Container for download configuration information.
-
-
-
ContentURLList
-
child element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.
-
-
-
ContentURL
-
Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.
-
-
-
Validation
-
Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content
-
-
-
FileHash
-
SHA256 hash value of file content
-
-
-
Enforcement
-
installation properties to be used when installing this MSI
-
-
-
CommandLine
-
Command-line options to be used when calling MSIEXEC.exe
-
-
-
TimeOut
-
Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.
-
-
-
RetryCount
-
The number of times the download and installation operation will be retried before the installation will be marked as failed.
-
-
-
RetryInterval
-
Amount of time, in minutes between retry operations.
-
-
-
+|Element|Description|
+|--- |--- |
+|MsiInstallJob|root element "Attribute: "id - the application identifier of the application being installed|
+|Product|child element of MsiInstallJob Attribute: “Version” – string representation of application version|
+|Download|child element of Product. Container for download configuration information.|
+|ContentURLList|child element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.|
+|ContentURL|Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.|
+|Validation|Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content|
+|FileHash|SHA256 hash value of file content|
+|Enforcement|installation properties to be used when installing this MSI|
+|CommandLine|Command-line options to be used when calling MSIEXEC.exe|
+|TimeOut|Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.|
+|RetryCount|The number of times the download and installation operation will be retried before the installation will be marked as failed.|
+|RetryInterval|Amount of time, in minutes between retry operations.|
@@ -453,85 +374,17 @@ The following tables shows how app targeting and MSI package type (per-user, per
For Intune standalone environment, the MSI package will determine the MSI execution context.
-
-
-
-
-
-
-
-
-
-
Target
-
Per-user MSI
-
Per-machine MSI
-
Dual mode MSI
-
-
-
-
-
User
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
Install the MSI per-device
-
LocURI contains a Device prefix, such as ./Device
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
-
-
System
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
Install the MSI per-device
-
LocURI contains a Device prefix, such as ./Device
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
-
-
-
-
+|Target|Per-user MSI|Per-machine MSI|Dual mode MSI|
+|--- |--- |--- |--- |
+|User|Install the MSI per-user LocURI contains a User prefix, such as ./User|Install the MSI per-device LocURI contains a Device prefix, such as ./Device|Install the MSI per-user LocURI contains a User prefix, such as ./User|
+|System|Install the MSI per-user LocURI contains a User prefix, such as ./User|Install the MSI per-device LocURI contains a Device prefix, such as ./Device|Install the MSI per-user LocURI contains a User prefix, such as ./User|
The following table applies to SCCM hybrid environment.
-
-
-
-
-
-
-
-
-
-
Target
-
Per-user MSI
-
Per-machine MSI
-
Dual mode MSI
-
-
-
-
-
User
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
Install the MSI per-device
-
LocURI contains a Device prefix, such as ./Device
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
-
-
System
-
Install the MSI per-user
-
LocURI contains a User prefix, such as ./User
-
Install the MSI per-device
-
LocURI contains a Device prefix, such as ./Device
-
Install the MSI per- system context
-
LocURI contains a Device prefix, such as ./Device
-
-
-
-
-
+|Target|Per-user MSI|Per-machine MSI|Dual mode MSI|
+|--- |--- |--- |--- |
+|User|Install the MSI per-user LocURI contains a User prefix, such as ./User|Install the MSI per-device LocURI contains a Device prefix, such as ./Device|Install the MSI per-user LocURI contains a User prefix, such as ./User|
+|System|Install the MSI per-user LocURI contains a User prefix, such as ./User|Install the MSI per-device LocURI contains a Device prefix, such as ./Device|Install the MSI per- system context LocURI contains a Device prefix, such as ./Device|
## How to determine the package type from the MSI package
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index ee9026f5a7..7929c9bf66 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -8,8 +8,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
-ms.date: 09/27/2019
+author: dansimp
+ms.date: 11/19/2021
---
# EnterpriseModernAppManagement CSP
@@ -181,7 +181,7 @@ The following example removes a package for all users:
xml
-
+
diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md
index 4f516e8c19..f1dd261229 100644
--- a/windows/client-management/mdm/esim-enterprise-management.md
+++ b/windows/client-management/mdm/esim-enterprise-management.md
@@ -15,7 +15,7 @@ ms.topic: conceptual
The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
- Onboard to Azure Active Directory
-- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
+- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
- [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
- [IDEMIA’s The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub)
- Assess solution type that you would like to provide your customers
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 97ae6b939f..c9219f4340 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -62,6 +62,36 @@ Required. Indicates whether this eUICC is physically present and active. Updated
Supported operation is Get. Value type is boolean.
+**_eUICC_/PPR1Allowed**
+Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed.
+
+Supported operation is Get. Value type is boolean.
+
+**_eUICC_/PPR1AlreadySet**
+Required. Indicates whether the eUICC already has a profile with PPR1.
+
+Supported operation is Get. Value type is boolean.
+
+**_eUICC_/DownloadServers**
+Interior node. Represents default SM-DP+ discovery requests.
+
+Supported operation is Get.
+
+**_eUICC_/DownloadServers/_ServerName_**
+Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
+
+Supported operations are Add, Get, and Delete.
+
+**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
+Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
+
+Supported operation is Get. Value type is integer. Default value is 1.
+
+**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
+Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
+
+Supported operations are Add, Get, and Replace. Value type is bool.
+
**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index 38bb8e5f6f..f7d0851746 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -49,7 +49,7 @@ The XML below if for Windows 10, version 1803.
- com.microsoft/1.1/MDM/eUICCs
+ com.microsoft/1.2/MDM/eUICCs
@@ -58,7 +58,7 @@ The XML below if for Windows 10, version 1803.
- Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
+ Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC.
@@ -79,7 +79,7 @@ The XML below if for Windows 10, version 1803.
- Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID.
+ The EID.
@@ -118,6 +118,139 @@ The XML below if for Windows 10, version 1803.
+
+ PPR1Allowed
+
+
+
+
+ Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PPR1AlreadySet
+
+
+
+
+ Indicates whether the eUICC already has a profile with PPR1.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DownloadServers
+
+
+
+
+ Represents default SM-DP+ discovery requests.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
+
+
+
+
+
+
+
+
+
+ ServerName
+
+
+
+
+
+ DiscoveryState
+
+
+
+
+ 1
+ Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AutoEnable
+
+
+
+
+
+
+ Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Profiles
@@ -145,6 +278,7 @@ The XML below if for Windows 10, version 1803.
+ Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
@@ -167,6 +301,7 @@ The XML below if for Windows 10, version 1803.
+ Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
@@ -192,6 +327,7 @@ The XML below if for Windows 10, version 1803.
+ Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
@@ -256,6 +392,70 @@ The XML below if for Windows 10, version 1803.
+
+ PPR1Set
+
+
+
+
+ This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PPR2Set
+
+
+
+
+ This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ErrorDetail
+
+
+
+
+ 0
+ Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index 3a32b79699..b2dca22fe1 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -148,7 +148,7 @@ The following are the explicit requirements for the server.
- The <DiscoveryResponse><AuthenticationServiceUrl> element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
-- WP doesn’t support Window Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
+- WP doesn’t support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
The enrollment client issues an HTTPS request as follows:
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 3df7b51be2..0b5579a5a6 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -22,9 +22,16 @@ The FileSystem configuration service provider is used to query, add, modify, and
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
-The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
+The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-
+```console
+./Vendor/MSFT
+FileSystem
+----file name
+----file directory
+--------file name
+--------file directory
+```
**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md
index 94c9465267..4c01145bb3 100644
--- a/windows/client-management/mdm/get-inventory.md
+++ b/windows/client-management/mdm/get-inventory.md
@@ -21,143 +21,34 @@ The **Get Inventory** operation retrieves information from the Microsoft Store f
## Request
-
-
-
-
+**GET:**
+```http
+https://bspmts.mp.microsoft.com/V1/Inventory?continuationToken={ContinuationToken}&modifiedSince={ModifiedSince}&licenseTypes={LicenseType}&maxResults={MaxResults}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Default value
-
Description
-
-
-
-
-
continuationToken
-
string
-
Null
-
-
-
-
modifiedSince
-
datetime
-
Null
-
Optional. Used to determine changes since a specific date.
Optional. Specifies the maximum number of applications returned in a single query.
-
-
-
-
-
-
+|Parameter|Type|Default value|Description|
+|--- |--- |--- |--- |
+|continuationToken|string|Null||
+|modifiedSince|datetime|Null|Optional. Used to determine changes since a specific date.|
+|licenseTypes|collection of [LicenseType](data-structures-windows-store-for-business.md#licensetype)|{online,offline}|Optional. A collection of license types|
+|maxResults|integer-32|25|Optional. Specifies the maximum number of applications returned in a single query.|
Here are some examples.
-
+**GET:**
+
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{ProductId}/{SkuId}/LocalizedDetails/{language}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
language
-
string
-
Required. Language in ISO format, such as en-us, en-ca.
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|language|string|Required. Language in ISO format, such as en-us, en-ca.|
-
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
Item type: productId, skuId, language
-
-
-
-
-
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name Reason: Missing parameter or invalid parameter Details: String|
+|404|Not found||Item type: productId, skuId, language|
## Response
diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md
index 87699a8b11..0f60251a1c 100644
--- a/windows/client-management/mdm/get-offline-license.md
+++ b/windows/client-management/mdm/get-offline-license.md
@@ -18,102 +18,27 @@ The **Get offline license** operation retrieves the offline license information
## Request
-
+**POST:**
+
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/OfflineLicense/{contentId}
+```
-
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Identifies a specific product that has been acquired.
-
-
-
skuId
-
string
-
Required. The SKU identifier.
-
-
-
contentId
-
string
-
Required. Identifies a specific application.
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Identifies a specific product that has been acquired.|
+|skuId|string|Required. The SKU identifier.|
+|contentId|string|Required. Identifies a specific application.|
-
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
-
-
-
409
-
Conflict
-
-
Reason: Not owned, Not offline
-
-
-
-
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name Reason: Missing parameter or invalid parameter Details: String|
+|404|Not found|||
+|409|Conflict||Reason: Not owned, Not offline|
## Response
diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md
index 18a0174509..9b32395cbd 100644
--- a/windows/client-management/mdm/get-product-details.md
+++ b/windows/client-management/mdm/get-product-details.md
@@ -18,92 +18,26 @@ The **Get product details** operation retrieves the product information from the
## Request
-
+**GET:**
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name Reason: Missing parameter or invalid parameter Details: String|
+|404|Not found|||
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
-
-
-
-
-
## Response
### Response body
diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md
index 662580acde..d08a8b434a 100644
--- a/windows/client-management/mdm/get-product-package.md
+++ b/windows/client-management/mdm/get-product-package.md
@@ -18,108 +18,27 @@ The **Get product package** operation retrieves the information about a specific
## Request
-
+**GET:**
-
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages/{packageId}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
packageId
-
string
-
Required.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
Details
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Invalid parameter
-
Details: String
-
Can be productId, skuId, or packageId
-
-
-
404
-
Not found
-
-
-
Item type: Product/SKU
-
-
-
409
-
Conflict
-
-
Reason: Not owned
-
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|packageId|string|Required.|
+|Error code|Description|Retry|Data field|Details|
+|--- |--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name
Reason: Invalid parameter
Details: String|Can be productId, skuId, or packageId|
+|404|Not found|||Item type: Product/SKU|
+|409|Conflict||Reason: Not owned||
## Response
diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md
index 5ad2851bc5..6dede5eb3e 100644
--- a/windows/client-management/mdm/get-product-packages.md
+++ b/windows/client-management/mdm/get-product-packages.md
@@ -18,97 +18,27 @@ The **Get product packages** operation retrieves the information about applicati
## Request
-
+**GET:**
+
+```http
+https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
-
-
-
409
-
Conflict
-
-
Reason: Not owned
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name
Reason: Missing parameter or invalid parameter
Details: String|
+|404|Not found|||
+|409|Conflict||Reason: Not owned|
## Response
diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md
index 598d24ea19..920c40c4e5 100644
--- a/windows/client-management/mdm/get-seat.md
+++ b/windows/client-management/mdm/get-seat.md
@@ -18,61 +18,21 @@ The **Get seat** operation retrieves the information about an active seat for a
## Request
-
+**GET:**
+```http
+https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
username
-
string
-
Requires UserPrincipalName (UPN). User name of the target user account.
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
## Response
@@ -81,56 +41,8 @@ The following parameters may be specified in the request URI.
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
-
+**GET:**
+```http
+https://bspmts.mp.microsoft.com/V1/Users/{username}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}
+```
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
useName
-
string
-
Requires UserPrincipalName (UPN). User name of the target user account.
-
-
-
continuationToken
-
string
-
Optional.
-
-
-
maxResults
-
inteter-32
-
Optional. Default = 25, Maximum = 100
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|useName|string|Requires UserPrincipalName (UPN). User name of the target user account.|
+|continuationToken|string|Optional.|
+|maxResults|inteter-32|Optional. Default = 25, Maximum = 100|
## Response
@@ -81,39 +41,10 @@ The following parameters may be specified in the request URI.
The response body contain [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
-
Values: UserName|
diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md
index a510b2460c..f58ed76669 100644
--- a/windows/client-management/mdm/get-seats.md
+++ b/windows/client-management/mdm/get-seats.md
@@ -1,6 +1,6 @@
---
title: Get seats
-description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business.
+description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business.
ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F
ms.reviewer:
manager: dansimp
@@ -18,118 +18,34 @@ The **Get seats** operation retrieves the information about active seats in the
## Request
-
+**GET:**
+
+```http
+https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}
+```
-
### URI parameters
The following parameters may be specified in the request URI.
-
-
-
-
-
-
-
-
-
Parameter
-
Type
-
Description
-
-
-
-
-
productId
-
string
-
Required. Product identifier for an application that is used by the Store for Business.
-
-
-
skuId
-
string
-
Required. Product identifier that specifies a specific SKU of an application.
-
-
-
continuationToken
-
string
-
Optional.
-
-
-
maxResults
-
int32
-
Optional. Default = 25, Maximum = 100
-
-
-
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|continuationToken|string|Optional.|
+|maxResults|int32|Optional. Default = 25, Maximum = 100|
-
## Response
### Response body
The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
-
-
-
-
-
-
-
-
-
-
Error code
-
Description
-
Retry
-
Data field
-
-
-
-
-
400
-
Invalid parameters
-
No
-
Parameter name
-
Reason: Missing parameter or invalid parameter
-
Details: String
-
-
-
404
-
Not found
-
-
-
-
-
409
-
Conflict
-
-
Reason: Not online
-
-
-
-
-
-
-
-
-
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name Reason: Missing parameter or invalid parameter Details: String|
+|404|Not found|||
+|409|Conflict||Reason: Not online|
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index e570b9890d..47da5c6353 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -8,176 +8,541 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
-ms.date: 06/26/2017
+author: dansimp
+ms.date:
---
# Device HealthAttestation CSP
-The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
+The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
The following is a list of functions performed by the Device HealthAttestation CSP:
-- Collects device boot logs, TPM audit trails and the TPM certificate (DHA-BootData) from a managed device
-- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
+- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device
+- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
-- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data
+- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
-## Terms
+## Windows 11 Device health attestation
-**TPM (Trusted Platform Module)**
-
TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.
+Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation.
-**DHA (Device HealthAttestation) feature**
-
The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device.
-**DHA-Enabled device (Device HealthAttestation enabled device)**
-
A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
-
The following list of transactions is performed in one DHA-Session:
-
-
DHA-CSP and DHA-Service communication:
-
DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
-
DHA-Service replies with an encrypted data blob (DHA-EncBlob)
-
+- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
-
DHA-CSP and MDM-Server communication:
-
MDM-Server sends a device health verification request to DHA-CSP
-
DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob
-
+- **MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)**: The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
-
MDM-Server and DHA-Service communication:
-
MDM-Server posts data it receives from devices to DHA-Service
-
DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report)
-
-
+- **MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**: The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.
-
-DHA session data (Device HealthAttestation session data)
-
The following list of data is produced or consumed in one DHA-Transaction:
-
-
DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.
-
DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
-
DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
-
DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has 2 parts:
-
-
DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
-
DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
-
-
-
DHA-Report: the report that is issued by DHA-Service to MDM-Server
-
Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
-
+ The following list of operations is performed by MAA-CSP:
-DHA-Enabled MDM (Device HealthAttestation enabled device management solution)
-
Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
-
DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
-
The following list of operations is performed by DHA-Enabled-MDM
-
-
Enables the DHA feature on a DHA-Enabled device
-
Issues device health attestation requests to enrolled/managed devices
-
Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification
-
Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
-
+ - Receives attestation trigger requests from a HealthAttestation enabled MDM provider.
+ - The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.
+ - Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.
+ - Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.
-DHA-CSP (Device HealthAttestation Configuration Service Provider)
-
The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
-
The following list of operations is performed by DHA-CSP:
-
-
Collects device boot data (DHA-BootData) from a managed device
-
Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
-
Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
-
Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
-
+- **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint.
-DHA-Service (Device HealthAttestation Service)
-
Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
+- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
-
DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
-
The following list of operations is performed by DHA-Service:
+### Attestation Flow with Microsoft Azure Attestation Service
-- Receives device boot data (DHA-BootData) from a DHA-Enabled device
-- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
-- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
-- Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)
+
-
+Attestation flow can be broadly in three main steps:
-
-
-
-
-
-
-
-
DHA-Service type
-
Description
-
Operation cost
-
-
-
-
-
Device Health Attestation – Cloud
(DHA-Cloud)
-
DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
-
-
Available in Windows for free
-
Running on a high-availability and geo-balanced cloud infrastructure
-
Supported by most DHA-Enabled device management solutions as the default device attestation service provider
-
Accessible to all enterprise-managed devices via following:
-
-
FQDN = has.spserv.microsoft.com) port
-
Port = 443
-
Protocol = TCP
-
-
-
-
No cost
-
-
-
-
Device Health Attestation – On Premise
(DHA-OnPrem)
-
DHA-OnPrem refers to DHA-Service that is running on premises:
-
-
Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
-
Hosted on an enterprise owned and managed server device/hardware
-
Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
-
Accessible to all enterprise-managed devices via following:
-
-
FQDN = (enterprise assigned)
-
Port = (enterprise assigned)
-
Protocol = TCP
-
-
-
-
The operation cost of running one or more instances of Server 2016 on-premises.
-
-
-
Device Health Attestation - Enterprise-Managed Cloud
(DHA-EMC)
-
DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
-
-
Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
-
Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
-
Accessible to all enterprise-managed devices via following:
-
-
FQDN = (enterprise assigned)
-
Port = (enterprise assigned)
-
Protocol = TCP
-
-
-
-
The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
-
-
-
+- An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
+- The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.
+- The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
-## CSP diagram and node descriptions
+For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol).
+### Configuration Service Provider Nodes
+Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service.
-The following shows the Device HealthAttestation configuration service provider in tree format.
+```console
+./Vendor/MSFT
+HealthAttestation
+----...
+----TriggerAttestation |
+----AttestStatus | Added in Windows 11
+----GetAttestReport |
+----GetServiceCorrelationIDs |
+----VerifyHealth
+----Status
+----ForceRetrieve
+----Certificate
+----Nonce
+----CorrelationID
+----HASEndpoint
+----TpmReadyStatus
+----CurrentProtocolVersion
+----PreferredMaxProtocolVersion
+----MaxSupportedProtocolVersion
```
+
+**./Vendor/MSFT/HealthAttestation**
+
+The root node for the device HealthAttestation configuration service provider.
+
+**TriggerAttestation** (Required)
+
+Node type: EXECUTE
+
+This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned.
+
+Templated SyncML Call:
+
+```xml
+
+
+
+ VERIFYHEALTHV2
+
+
+
+ ./Vendor/MSFT/HealthAttestation/TriggerAttestation
+
+
+
+ {
+ rpID : "rpID", serviceEndpoint : "MAA endpoint",
+ nonce : "nonce", aadToken : "aadToken", "cv" : "CorrelationVector"
+ }
+
+
+
+
+
+
+```
+
+Data fields:
+
+- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
+- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
+- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
+- aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.
+- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
+
+Sample Data:
+
+```json
+
+{
+"rpid" : "https://www.contoso.com/attestation",
+"endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01",
+"nonce" : "5468697320697320612054657374204e6f6e6365",
+"aadToken" : "dummytokenstring",
+"cv" : "testonboarded"
+}
+
+```
+
+**AttestStatus**
+
+Node type: GET
+
+This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step.
+The status is always cleared prior to making the attest service call.
+
+Templated SyncML Call:
+
+```xml
+
+
+
+
+
+
+ ./Device/Vendor/MSFT/HealthAttestation/AttestStatus
+
+
+
+
+
+
+
+```
+
+Sample Data:
+
+```console
+If Successful: 0
+If Failed: A corresponding HRESULT error code
+Example: 0x80072efd, WININET_E_CANNOT_CONNECT
+```
+
+**GetAttestReport**
+
+Node type: GET
+
+This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store.
+
+Templated SyncML Call:
+
+```xml
+
+
+
+
+
+
+ ./Device/Vendor/MSFT/HealthAttestation/GetAttestReport
+
+
+
+
+
+
+
+```
+
+Sample data:
+
+```console
+If Success:
+JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc
+If failed:
+Previously cached report if available (the token may have already expired per the attestation policy).
+OR Sync ML 404 error if not cached report available.
+```
+
+**GetServiceCorrelationIDs**
+
+Node type: GET
+
+This node will retrieve the service-generated correlation IDs for the given MDM provider. If there is more than one correlation ID, they are separated by “;” in the string.
+
+Templated SyncML Call:
+
+```xml
+
+
+
+
+
+
+ ./Device/Vendor/MSFT/HealthAttestation/GetServiceCorrelationIDs
+
+
+
+
+
+
+
+```
+
+Sample data:
+
+```console
+If success:
+GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM
+If Trigger Attestation call failed and no previous data is present. The field remains empty.
+Otherwise, the last service correlation id will be returned. In a successful attestation there are two
+calls between client and MAA and for each call the GUID is separated by semicolon.
+```
+
+> [!NOTE]
+> > MAA CSP nodes are available on arm64 but is not currently supported.
+
+
+### MAA CSP Integration Steps
+
+1. Set up a MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal].
+
+2. Update the provider with an appropriate policy: The MAA instance should be updated with an appropriate policy. For more information, see [How to author an Azure Attestation policy](/azure/attestation/claim-rule-grammar).
+
+ A Sample attestation policy:
+
+ ```console
+ version=1.2;
+
+ configurationrules{
+ };
+
+ authorizationrules {
+ => permit();
+ };
+
+ issuancerules{
+
+ // SecureBoot enabled
+ c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));
+ c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));
+ ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);
+
+ // Retrieve bool properties
+ c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));
+ c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));
+ ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);
+
+ // Bitlocker Boot Status, The first non zero measurement or zero.
+ c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]")));
+ [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true);
+ ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false);
+
+ // Elam Driver (windows defender) Loaded
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));
+ [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true);
+ ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false);
+
+ // Boot debugging
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));
+ c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
+ ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);
+
+ // Kernel Debugging
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));
+ c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
+ ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);
+
+ // DEP Policy
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]")));
+ ![type=="depPolicy"] => issue(type="depPolicy", value=0);
+
+ // Test Signing
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING")));
+ c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false));
+ ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);
+
+ // Flight Signing
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING")));
+ c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));
+ ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);
+
+ // VSM enabled
+ c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED")));
+ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));
+ c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true));
+ ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false);
+ c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);
+
+ // HVCI
+ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));
+ c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));
+ ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);
+
+ // IOMMU
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));
+ c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));
+ ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);
+
+ // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements
+ // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
+ c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
+ c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
+ [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");
+
+ // Find the first EVENT_APPLICATION_SVN.
+ c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq"));
+ c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));
+ c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
+
+ // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN
+ c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
+
+ // OS Rev List Info
+ c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]")));
+
+ // Safe mode
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));
+ c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));
+ ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);
+
+ // Win PE
+ c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE")));
+ c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));
+ ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);
+
+ // CI Policy
+ c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));
+
+ // Secure Boot Custom Policy
+ c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]")));
+
+ // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
+ c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
+ c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
+ [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present
+
+ //Finding the Boot App SVN
+ // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR
+ c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));
+ c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq"));
+ c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));
+
+ // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.
+ c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
+ c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]"));
+ c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));
+
+ // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12.
+ c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
+ c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
+ c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
+
+ // Finding the Boot Rev List Info
+ c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]")));
+
+ };
+ ```
+
+3. Call TriggerAttestation with your rpid, AAD token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm).
+
+4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties: GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy.
+
+ ```json
+ {
+ "typ": "JWT",
+ "alg": "RS256",
+ "x5c": [
+ "MIIE.....=",
+ "MIIG.....=",
+ "MIIF.....="
+ ],
+ "kid": "8FUer20z6wzf1rod044wOAFdjsg"
+ }.{
+ "nbf": 1633664812,
+ "exp": 1634010712,
+ "iat": 1633665112,
+ "iss": "https://contosopolicy.eus.attest.azure.net",
+ "jti": "2b63663acbcafefa004d20969991c0b1f063c9be",
+ "ver": "1.0",
+ "x-ms-ver": "1.0",
+ "rp_data": "AQIDBA",
+ "nonce": "AQIDBA",
+ "cnf": {
+ "jwk": {
+ "kty": "RSA",
+ "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ",
+ "e": "AQAB"
+ }
+ },
+ "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0",
+ "WindowsDefenderElamDriverLoaded": true,
+ "bitlockerEnabled": true,
+ "bitlockerEnabledValue": 4,
+ "bootAppSvn": 1,
+ "bootDebuggingDisabled": true,
+ "bootMgrSvn": 1,
+ "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw",
+ "codeIntegrityEnabled": true,
+ "codeIntegrityPolicy": [
+ "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk", "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o", "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI", "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc", "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM"
+ ],
+ "depPolicy": 0,
+ "flightSigningNotEnabled": false,
+ "hvciEnabled": true,
+ "iommuEnabled": true,
+ "notSafeMode": true,
+ "notWinPE": true,
+ "osKernelDebuggingDisabled": true,
+ "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA",
+ "secureBootEnabled": true,
+ "testSigningDisabled": true,
+ "vbsEnabled": true
+ }.[Signature]
+ ```
+
+### Learn More
+
+More information about TPM attestation can be found here: [Microsoft Azure Attestation](/azure/attestation/).
+
+
+## Windows 10 Device HealthAttestation
+
+### Terms
+
+- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
+
+- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+
+- **DHA-Enabled device (Device HealthAttestation enabled device)**: A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
+
+- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+
+ The following list of transactions is performed in one DHA-Session:
+
+ - DHA-CSP and DHA-Service communication:
+ - DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
+ - DHA-Service replies with an encrypted data blob (DHA-EncBlob)
+
+ - DHA-CSP and MDM-Server communication:
+ - MDM-Server sends a device health verification request to DHA-CSP
+ - DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob
+
+ - MDM-Server and DHA-Service communication:
+ - MDM-Server posts data it receives from devices to DHA-Service
+ - DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report)
+
+ 
+
+- **DHA session data (Device HealthAttestation session data)**: The following list of data is produced or consumed in one DHA-Transaction:
+
+ - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.
+ - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
+ - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
+ - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
+
+ - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
+ - DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
+
+ - DHA-Report: the report that is issued by DHA-Service to MDM-Server
+ - Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
+
+- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
+
+ DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
+
+ The following list of operations is performed by DHA-Enabled-MDM
+
+ - Enables the DHA feature on a DHA-Enabled device
+ - Issues device health attestation requests to enrolled/managed devices
+ - Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification
+ - Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
+
+- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
+
+ The following list of operations is performed by DHA-CSP:
+
+ - Collects device boot data (DHA-BootData) from a managed device
+ - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
+ - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
+ - Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
+
+- **DHA-Service (Device HealthAttestation Service)**: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
+
+ DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
+
+ The following list of operations is performed by DHA-Service:
+
+ - Receives device boot data (DHA-BootData) from a DHA-Enabled device
+ - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
+ - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
+ - Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)
+
+
+
+|DHA-Service type|Description|Operation cost|
+|--- |--- |--- |
+|Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
Available in Windows for free
Running on a high-availability and geo-balanced cloud infrastructure
Supported by most DHA-Enabled device management solutions as the default device attestation service provider
Accessible to all enterprise-managed devices via following:
FQDN = has.spserv.microsoft.com port
Port = 443
Protocol = TCP|No cost
|
+|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
Hosted on an enterprise owned and managed server device/hardware
Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
Accessible to all enterprise-managed devices via following:
FQDN = (enterprise assigned)
Port = (enterprise assigned)
Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
|
+|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
Accessible to all enterprise-managed devices via following:
FQDN = (enterprise assigned)
Port = (enterprise assigned)
Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
|
+
+### CSP diagram and node descriptions
+
+The following shows the Device HealthAttestation configuration service provider in tree format.
+
+```console
./Vendor/MSFT
HealthAttestation
----VerifyHealth
@@ -192,63 +557,72 @@ HealthAttestation
----PreferredMaxProtocolVersion
----MaxSupportedProtocolVersion
```
+
**./Vendor/MSFT/HealthAttestation**
-
The root node for the device HealthAttestation configuration service provider.
+
+The root node for the device HealthAttestation configuration service provider.
**VerifyHealth** (Required)
-
Notifies the device to prepare a device health verification request.
-
The supported operation is Execute.
+Notifies the device to prepare a device health verification request.
+
+The supported operation is Execute.
**Status** (Required)
-
Provides the current status of the device health request.
-
The supported operation is Get.
+Provides the current status of the device health request.
-
+The supported operation is Get.
+
+The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
-- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
+- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
**ForceRetrieve** (Optional)
-
Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
-
Boolean value. The supported operation is Replace.
+Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
+
+Boolean value. The supported operation is Replace.
**Certificate** (Required)
-
Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-
Value type is b64.The supported operation is Get.
+Instructs the DHA-CSP to forward DHA-Data to the MDM server.
+
+Value type is b64. The supported operation is Get.
**Nonce** (Required)
-
Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
-
The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
-
The supported operations are Get and Replace.
+The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+
+The supported operations are Get and Replace.
**CorrelationId** (Required)
-
Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-
Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
+Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
+
+Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
**HASEndpoint** (Optional)
-
Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
-
Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+
+Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
**TpmReadyStatus** (Required)
-
Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
-
Value type is integer. The supported operation is Get.
-## **DHA-CSP integration steps**
+Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
+Value type is integer. The supported operation is Get.
+
+### DHA-CSP integration steps
The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM):
-
1. [Verify HTTPS access](#verify-access)
2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service)
3. [Instruct client to prepare DHA-data for verification](#prepare-health-data)
@@ -260,14 +634,13 @@ The following list of validation and development tasks are required for integrat
Each step is described in detail in the following sections of this topic.
-## **Step 1: Verify HTTPS access**
-
+### Step 1: Verify HTTPS access
Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS).
You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service:
-``` syntax
+```console
PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443
CONNECTED(000001A8)
---
@@ -312,8 +685,7 @@ SSL-Session:
Verify return code: 20 (unable to get local issuer certificate)
```
-
-## **Step 2: Assign an enterprise trusted DHA-Service**
+### Step 2: Assign an enterprise trusted DHA-Service
There are three types of DHA-Service:
- Device Health Attestation – Cloud (owned and operated by Microsoft)
@@ -338,9 +710,7 @@ The following example shows a sample call that instructs a managed device to com
```
-
-## **Step 3: Instruct client to prepare health data for verification**
-
+### Step 3: Instruct client to prepare health data for verification
Send a SyncML call to start collection of the DHA-Data.
@@ -366,7 +736,7 @@ The following example shows a sample call that triggers collection and verificat
```
-## **Step 4: Take action based on the clients response**
+### Step 4: Take action based on the clients response
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
@@ -392,9 +762,9 @@ Here is a sample alert that is issued by DHA_CSP:
```
-- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
+- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
-## **Step 5: Instruct the client to forward health attestation data for verification**
+### Step 5: Instruct the client to forward health attestation data for verification
Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
@@ -431,39 +801,40 @@ Here is an example:
```
-## **Step 6: Forward device health attestation data to DHA-service**
-
+### Step 6: Forward device health attestation data to DHA-service
In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node).
-When the MDM-Server receives the above data, it must:
+When the MDM-Server receives the above data, it must:
+
- Log the CorrelationId it receives from the device (for future troubleshooting/reference), correlated to the call.
- Decode the XML formatted data blob it receives from the device
- Append the nonce that was generated by MDM service (add the nonce that was forwarded to the device in Step 5) to the XML structure that was forwarded by the device in following format:
-```xml
-
-
- [INT]
- [base64 blob, eg ‘ABc123+/…==’]
- [base64 blob, eg ‘ABc123+/...==’]
-
-
-```
+ ```xml
+
+
+ [INT]
+ [base64 blob, eg ‘ABc123+/…==’]
+ [base64 blob, eg ‘ABc123+/...==’]
+
+
+ ```
+
- Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on:
- - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3
- - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
+
+ - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3
+ - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
-## **Step 7: Receive response from the DHA-service**
+### Step 7: Receive response from the DHA-service
When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
- Decrypts the encrypted data it receives.
- Validates the data it has received
- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format
-## **Step 8: Take appropriate policy action based on evaluation results**
-
+### Step 8: Take appropriate policy action based on evaluation results
After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be:
@@ -471,7 +842,7 @@ After the MDM server receives the verified data, the information can be used to
- Allow the device to access the resources, but flag the device for further investigation.
- Prevent a device from accessing resources.
-The following list of data points are verified by the DHA-Service in DHA-Report version 3:
+The following list of data points is verified by the DHA-Service in DHA-Report version 3:
- [Issued](#issued )
- [AIKPresent](#aikpresent)
@@ -503,113 +874,123 @@ The following list of data points are verified by the DHA-Service in DHA-Report
\* TPM 2.0 only
\*\* Reports if BitLocker was enabled during initial boot.
-\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.
+\*\*\* The "Hybrid Resume" must be disabled on the device. Reports first-party ELAM "Defender" was loaded during boot.
Each of these are described in further detail in the following sections, along with the recommended actions to take.
**Issued**
-
The date and time DHA-report was evaluated or issued to MDM.
+
+The date and time DHA-report was evaluated or issued to MDM.
**AIKPresent**
-
When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
-
If AIKPresent = True (1), then allow access.
+When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
-
If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
+If AIKPresent = True (1), then allow access.
-- Disallow all access
-- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
+
+- Disallow all access
+- Disallow access to HBI assets
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**ResetCount** (Reported only for devices that support TPM 2.0)
-
This attribute reports the number of times a PC device has hibernated or resumed.
+
+This attribute reports the number of times a PC device has hibernated or resumed.
**RestartCount** (Reported only for devices that support TPM 2.0)
-
This attribute reports the number of times a PC device has rebooted
+
+This attribute reports the number of times a PC device has rebooted.
**DEPPolicy**
-
A device can be trusted more if the DEP Policy is enabled on the device.
-
Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+A device can be trusted more if the DEP Policy is enabled on the device.
-
DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+
+DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
-
If DEPPolicy = 1 (On), then allow access.
+If DEPPolicy = 1 (On), then allow access.
-
If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BitLockerStatus** (at boot time)
-
When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
-
Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
-
If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
+Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
-
If BitLockerStatus = 1 (On), then allow access.
+If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
-
If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If BitLockerStatus = 1 (On), then allow access.
+
+If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BootManagerRevListVersion**
-
This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
-
If BootManagerRevListVersion = [CurrentVersion], then allow access.
+This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
-
If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If BootManagerRevListVersion = [CurrentVersion], then allow access.
+
+If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**CodeIntegrityRevListVersion**
-
This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
-
If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
-
If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+
+If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**SecureBootEnabled**
-
When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
-
If SecureBootEnabled = 1 (True), then allow access.
+When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
-
If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If SecureBootEnabled = 1 (True), then allow access.
+
+If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BootDebuggingEnabled**
-
Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
-
Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
+
+Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**
- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**
-
If BootdebuggingEnabled = 0 (False), then allow access.
+If BootdebuggingEnabled = 0 (False), then allow access.
-
If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
@@ -617,44 +998,47 @@ Each of these are described in further detail in the following sections, along w
- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
**OSKernelDebuggingEnabled**
-
OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
-
If OSKernelDebuggingEnabled = 0 (False), then allow access.
+OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
-
If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If OSKernelDebuggingEnabled = 0 (False), then allow access.
+
+If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**CodeIntegrityEnabled**
-
When code integrity is enabled, code execution is restricted to integrity verified code.
-
Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
+When code integrity is enabled, code execution is restricted to integrity verified code.
-
On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
-
If CodeIntegrityEnabled = 1 (True), then allow access.
+On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-
If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityEnabled = 1 (True), then allow access.
+
+If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**TestSigningEnabled**
-
When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
-
Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
+
+Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**
- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**
-
If TestSigningEnabled = 0 (False), then allow access.
+If TestSigningEnabled = 0 (False), then allow access.
-
If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
@@ -662,33 +1046,36 @@ Each of these are described in further detail in the following sections, along w
- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
**SafeMode**
-
Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
-
If SafeMode = 0 (False), then allow access.
+Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
-
If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
+If SafeMode = 0 (False), then allow access.
+
+If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**WinPE**
-
Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
-
If WinPE = 0 (False), then allow access.
+Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
-
If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
+If WinPE = 0 (False), then allow access.
+
+If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
**ELAMDriverLoaded** (Windows Defender)
-
To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
-
In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.
+To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
-
If a device is expected to use a 3rd party antivirus program, ignore the reported state.
+In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.
-
If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+If a device is expected to use a third-party antivirus program, ignore the reported state.
-
If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
- Disallow all access
- Disallow access to HBI assets
@@ -696,61 +1083,63 @@ Each of these are described in further detail in the following sections, along w
**Bcdedit.exe /set {current} vsmlaunchtype auto**
-
If ELAMDriverLoaded = 1 (True), then allow access.
+If ELAMDriverLoaded = 1 (True), then allow access.
-
If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
+If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**VSMEnabled**
-
Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.
-
VSM can be enabled by using the following command in WMI or a PowerShell script:
+Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.
-
bcdedit.exe /set {current} vsmlaunchtype auto
+VSM can be enabled by using the following command in WMI or a PowerShell script:
-
If VSMEnabled = 1 (True), then allow access.
-
If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+`bcdedit.exe /set {current} vsmlaunchtype auto`
+
+If VSMEnabled = 1 (True), then allow access.
+If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue
**PCRHashAlgorithmID**
-
This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
+
+This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
**BootAppSVN**
-
This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
-
If reported BootAppSVN equals an accepted value, then allow access.
+This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
-
If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootAppSVN equals an accepted value, then allow access.
+
+If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**BootManagerSVN**
-
This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
-
If reported BootManagerSVN equals an accepted value, then allow access.
+This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
-
If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootManagerSVN equals an accepted value, then allow access.
+
+If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**TPMVersion**
-
This attribute identifies the version of the TPM that is running on the attested device.
-
TPMVersion node provides to replies "1" and "2":
-
-
1 means TPM specification version 1.2
-
2 means TPM specification version 2.0
-
+This attribute identifies the version of the TPM that is running on the attested device. TPMVersion node provides to replies "1" and "2":
-
Based on the reply you receive from TPMVersion node:
+- 1 means TPM specification version 1.2
+- 2 means TPM specification version 2.0
+
+Based on the reply you receive from TPMVersion node:
- If reported TPMVersion equals an accepted value, then allow access.
- If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
@@ -758,277 +1147,193 @@ Each of these are described in further detail in the following sections, along w
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**PCR0**
-
The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
-
Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
+The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
-
If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
+Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
-
If PCR[0] equals an accepted allow list value, then allow access.
+If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
-
If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
+If PCR[0] equals an accepted allow list value, then allow access.
+
+If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**SBCPHash**
-
SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
-
If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
+SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
-
If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
+
+If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.
**CIPolicy**
-
This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
-
If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
-
If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+
+If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.
**BootRevListInfo**
-
This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
-
If reported BootRevListInfo version equals an accepted value, then allow access.
+This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
-
If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootRevListInfo version equals an accepted value, then allow access.
+
+If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**OSRevListInfo**
-
This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
-
If reported OSRevListInfo version equals an accepted value, then allow access.
+This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
-
If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported OSRevListInfo version equals an accepted value, then allow access.
+
+If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**HealthStatusMismatchFlags**
-
HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
-
In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
+HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
-## **Device HealthAttestation CSP status and error codes**
+In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
-
-
-
Error code
-
Error name
-
Description
-
-
-
0
-
HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED
-
This is the initial state for devices that have never participated in a DHA-Session.
-
-
-
1
-
HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED
-
This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
-
-
-
2
-
HEALTHATTESTATION_CERT_RETRIEVAL_FAILED
-
This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
-
-
-
3
-
HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE
-
This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.
-
-
-
4
-
HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL
-
Deprecated in Windows 10, version 1607.
-
-
-
5
-
HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL
-
DHA-CSP failed to get a claim quote.
-
-
-
6
-
HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY
-
DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
-
-
-
0xFFFF
-
HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN
-
DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
-
-
-
400
-
Bad_Request_From_Client
-
DHA-CSP has received a bad (malformed) attestation request.
-
-
-
404
-
Endpoint_Not_Reachable
-
DHA-Service is not reachable by DHA-CSP
-
+### Device HealthAttestation CSP status and error codes
-
+Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED
+Error description: This is the initial state for devices that have never participated in a DHA-Session.
-## DHA-Report V3 schema
+Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED
+Error description: This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
+Error code: 2 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED
+Error description: This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
+
+Error code: 3 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE
+Error description: This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.
+
+Error code: 4 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 5 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL
+Error description: DHA-CSP failed to get a claim quote.
+
+Error code: 6 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY
+Error description: DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
+
+Error code: 7 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL
+Error description: DHA-CSP failed in retrieving Windows AIK
+
+Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION
+Error description: Invalid TPM version (TPM version is not 1.2 or 2.0)
+
+Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL
+Error description: Nonce was not found in the registry.
+
+Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL
+Error description: Correlation ID was not found in the registry.
+
+Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 13 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 14 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL
+Error description: Failure in Encoding functions. (Extremely unlikely scenario)
+
+Error code: 15 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 16 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML
+Error description: DHA-CSP failed to load the payload it received from DHA-Service
+
+Error code: 17 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML
+Error description: DHA-CSP received a corrupted response from DHA-Service.
+
+Error code: 18 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML
+Error description: DHA-CSP received an empty response from DHA-Service.
+
+Error code: 19 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK
+Error description: DHA-CSP failed in decrypting the AES key from the EK challenge.
+
+Error code: 20 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK
+Error description: DHA-CSP failed in decrypting the health cert with the AES key.
+
+Error code: 21 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB
+Error description: DHA-CSP failed in exporting the AIK Public Key.
+
+Error code: 22 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY
+Error description: DHA-CSP failed in trying to create a claim with AIK attestation data.
+
+Error code: 23 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB
+Error description: DHA-CSP failed in appending the AIK Pub to the request blob.
+
+Error code: 24 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT
+Error description: DHA-CSP failed in appending the AIK Cert to the request blob.
+
+Error code: 25 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE
+Error description: DHA-CSP failed to obtain a Session handle.
+
+Error code: 26 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE
+Error description: DHA-CSP failed to connect to the DHA-Service.
+
+Error code: 27 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHAND
+Error description: DHA-CSP failed to create an HTTP request handle.
+
+Error code: 28 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION
+Error description: DHA-CSP failed to set options.
+
+Error code: 29 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS
+Error description: DHA-CSP failed to add request headers.
+
+Error code: 30 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST
+Error description: DHA-CSP failed to send the HTTP request.
+
+Error code: 31 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE
+Error description: DHA-CSP failed to receive a response from the DHA-Service.
+
+Error code: 32 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS
+Error description: DHA-CSP failed to query headers when trying to get HTTP status code.
+
+Error code: 33 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE
+Error description: DHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
+
+Error code: 34 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE
+Error description: DHA-CSP received an empty response along with an HTTP error code from DHA-Service.
+
+Error code: 35 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER
+Error description: DHA-CSP failed to impersonate user.
+
+Error code: 36 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR
+Error description: DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
+
+Error code: 0xFFFF | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN
+Error description: DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
+
+Error code: 400 | Error name: Bad_Request_From_Client
+Error description: DHA-CSP has received a bad (malformed) attestation request.
+
+Error code: 404 | Error name: Endpoint_Not_Reachable
+Error description: DHA-Service is not reachable by DHA-CSP
+
+### DHA-Report V3 schema
```xml
@@ -1131,8 +1436,7 @@ Each of these are described in further detail in the following sections, along w
```
-## DHA-Report example
-
+### DHA-Report example
```xml
@@ -1169,10 +1473,6 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio
```
-
-
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index d7209b1cf2..651900e2d8 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -22,193 +22,430 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
The XML below is the current version for this CSP.
```xml
-
-]>
-
- 1.2
-
+
+
+
+
+ 1.2
+ $(runtime.windows)\system32\hascsp.dll
+
+ {9DCCCE22-C057-424E-B8D1-67935988B174}
+ HealthAttestation./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.2/MDM/HealthAttestation
-
+
+
+
+ The root node for the device HealthAttestation configuration service provider.
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.4/MDM/HealthAttestation
+
+
+ 10.0.10586
+ 1.0
+
+
+
+
+
- VerifyHealth
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ VerifyHealth
+
+
+
+
+ Notifies the device to prepare a device health verification request.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ Status
+
+
+
+
+ Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- ForceRetrieve
-
-
-
-
-
- False
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ ForceRetrieve
+
+
+
+
+
+ False
+ Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
- Certificate
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ Certificate
+
+
+
+
+ Instructs the DHA-CSP to forward DHA-Data to the MDM server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- Nonce
-
-
-
-
-
- \0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ Nonce
+
+
+
+
+
+ \0
+ Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
- CorrelationID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ CorrelationID
+
+
+
+
+ Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
- HASEndpoint
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ HASEndpoint
+
+
+
+
+
+ has.spserv.microsoft.com.
+ Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
- TpmReadyStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ TpmReadyStatus
+
+
+
+
+ Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 10.0.14393
+ 1.1
+
+
-
-
+
+ CurrentProtocolVersion
+
+
+
+
+ Provides the current protocol version that the client is using to communicate with the Health Attestation Service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+ PreferredMaxProtocolVersion
+
+
+
+
+
+ 3
+ Provides the maximum preferred protocol version that the client is configured to communicate over. If this is higher than the protocol versions supported by the client it will use the highest protocol version available to it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+
+
+ MaxSupportedProtocolVersion
+
+
+
+
+ Returns the maximum protocol version that this client can support.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 10.0.16299
+ 1.3
+
+
+
+
+ TriggerAttestation
+
+
+
+
+ Notifies the device to trigger an attestation session asynchronously.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 99.9.99999
+ 1.4
+
+
+
+
+
+
+ GetAttestReport
+
+
+
+
+ Retrieve attestation session report if exists.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.4
+
+
+
+
+ AttestStatus
+
+
+
+
+ AttestStatus maintains the success or failure status code for the last attestation session.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 99.9.99999
+ 1.4
+
+
+
+
+ GetServiceCorrelationIDs
+
+
+
+
+ Retrieve service correlation IDs if exist.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.4
+
+
+
+
+
+
+
+
```
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index af7934b674..897e8ee489 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -17,17 +17,31 @@ ms.date: 06/26/2017
The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers.
-> **Note** HotSpot CSP is only supported in Windows 10 Mobile.
+> [!Note]
+> HotSpot CSP is only supported in Windows 10 Mobile.
>
->
->
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
-
+The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
-The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
-
-
+```console
+./Vendor/MSFT
+HotSpot
+-------Enabled
+-------DedicatedConnections
+-------TetheringNAIConnection
+-------MaxUsers
+-------MaxBluetoothUsers
+-------MOHelpNumber
+-------MOInfoLink
+-------MOAppLink
+-------MOHelpMessage
+-------EntitlementRequired
+-------EntitlementDll
+-------EntitlementInterval
+-------PeerlessTimeout
+-------PublicConnectionTimeout
+```
**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.
@@ -45,8 +59,8 @@ By default, any available connection will be used as a public connection. Howeve
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
-> **Note** The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
-
+> [!Note]
+> The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
@@ -60,9 +74,8 @@ If a CDMA mobile operator requires using a Tethering NAI during Internet sharing
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
-> **Note** The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
-
-
+> [!Note]
+> The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
@@ -92,8 +105,8 @@ Optional. Reference to a localized string, provided by the mobile operator, that
Where `` is the path to the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](/windows/win32/intl/using-registry-string-redirection) on MSDN.
-> **Note** MOAppLink is required to use the MOHelpMessage setting.
-
+> [!Note]
+> MOAppLink is required to use the MOHelpMessage setting.
**EntitlementRequired**
@@ -120,14 +133,14 @@ Optional. The time-out value, in minutes, after which Internet sharing is automa
Changes to this node require a reboot.
**MinWifiKeyLength**
-> **Important** This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
-
+> [!Important]
+> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
**MinWifiSSIDLength**
-> **Important** This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
-
+> [!Important]
+> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
## Additional requirements for CDMA networks
@@ -152,7 +165,8 @@ For CDMA networks that use a separate Network Access Identity (NAI) for Internet
```
-> **Note** CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
+> [!Note]
+> CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
@@ -169,34 +183,11 @@ The DLL must be code signed in a specific way, see [Sign binaries and packages](
During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values.
-
-
-
-
-
-
-
-
Value
-
Description
-
-
-
-
-
ENTITLEMENT_SUCCESS
-
The device is allowed to connect to the server.
-
-
-
ENTITLEMENT_FAILED
-
The device is not allowed to connect to the server
-
-
-
ENTITLEMENT_UNAVAILABLE
-
The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.
-
-
-
-
-
+|Value|Description|
+|--- |--- |
+|**ENTITLEMENT_SUCCESS**|The device is allowed to connect to the server.|
+|**ENTITLEMENT_FAILED**|The device is not allowed to connect to the server|
+|**ENTITLEMENT_UNAVAILABLE**|The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.|
The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit.
diff --git a/windows/client-management/mdm/images/configlock-mem-createprofile.png b/windows/client-management/mdm/images/configlock-mem-createprofile.png
new file mode 100644
index 0000000000..f43f6b7ddb
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-createprofile.png differ
diff --git a/windows/client-management/mdm/images/configlock-mem-dev.png b/windows/client-management/mdm/images/configlock-mem-dev.png
new file mode 100644
index 0000000000..3ce6cd456d
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-dev.png differ
diff --git a/windows/client-management/mdm/images/configlock-mem-devstatus.png b/windows/client-management/mdm/images/configlock-mem-devstatus.png
new file mode 100644
index 0000000000..2e78bf58e5
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-devstatus.png differ
diff --git a/windows/client-management/mdm/images/configlock-mem-editrow.png b/windows/client-management/mdm/images/configlock-mem-editrow.png
new file mode 100644
index 0000000000..18595f86dc
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-editrow.png differ
diff --git a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
new file mode 100644
index 0000000000..1e315bc4b1
Binary files /dev/null and b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png differ
diff --git a/windows/client-management/mdm/images/faq-max-devices.png b/windows/client-management/mdm/images/faq-max-devices.png
index bf101a0215..f2d177b92f 100644
Binary files a/windows/client-management/mdm/images/faq-max-devices.png and b/windows/client-management/mdm/images/faq-max-devices.png differ
diff --git a/windows/client-management/mdm/images/flow-configlock.png b/windows/client-management/mdm/images/flow-configlock.png
new file mode 100644
index 0000000000..4310537887
Binary files /dev/null and b/windows/client-management/mdm/images/flow-configlock.png differ
diff --git a/windows/client-management/mdm/images/maa-attestation-flow.png b/windows/client-management/mdm/images/maa-attestation-flow.png
new file mode 100644
index 0000000000..ac91ff242a
Binary files /dev/null and b/windows/client-management/mdm/images/maa-attestation-flow.png differ
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 68633b48af..396d3ea018 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -18,11 +18,11 @@ The Windows version of mobile application management (MAM) is a lightweight solu
## Integration with Azure AD
-MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
+MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
-On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
+On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
Regular non-admin users can enroll to MAM.
@@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
-
+:::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
@@ -129,40 +129,8 @@ If the MAM device is properly configured for MDM enrollment, then the Enroll onl
We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature.
-
Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.
-
June 13 2017
-
-
-
-
\ No newline at end of file
+|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products|
+|--- |--- |--- |--- |
+|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365 Project Desktop Client Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)|
+|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise|
+|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017||
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index a7236eea80..bba400d65a 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -1,6 +1,6 @@
---
title: Mobile device management
-description: Windows 10 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
+description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
@@ -14,10 +14,9 @@ author: dansimp
# Mobile device management
+Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
-Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices. A built-in management component can communicate with the management server.
-
-There are two parts to the Windows 10 management component:
+There are two parts to the Windows management component:
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
@@ -26,20 +25,20 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu
## MDM security baseline
-With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
-
+With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices.
The MDM security baseline includes policies that cover the following areas:
-- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
+- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and Device Guard (virtual-based security), Exploit Guard, Microsoft Defender Antivirus, and Firewall
- Restricting remote access to devices
- Setting credential requirements for passwords and PINs
- Restricting use of legacy technology
- Legacy technology policies that offer alternative solutions with modern technology
- And much more
-For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see:
+For more details about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
+- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip)
@@ -82,6 +81,3 @@ When an organization wants to move to MDM to manage devices, they should prepare
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
-
-
-
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index f2da07d4e2..6baab87be6 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -34,26 +34,12 @@ For additional information about Store for Business, see the TechNet topics in [
The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages.
-
-
-
-
-
-
-
-
Application data
-
The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
-
-
-
Licensing models
-
Offline vs. Online
-
Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
-
Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
-
-
-
+- **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
-
+- **Licensing models**:
+
+ - **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
+ - **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
### Offline-licensed application distribution
@@ -89,13 +75,11 @@ MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The
Here are the details for requesting an authorization token:
-- Login Authority = https://login.windows.net/\
-- Resource/audience\* = https://onestore.microsoft.com
+- Login Authority = `https://login.windows.net/`
+- Resource/audience = `https://onestore.microsoft.com`: The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page.
- ClientId = your AAD application client id
- ClientSecret = your AAD application client secret/key
-\* The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page.
-
## Using the management tool
After registering your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns:
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index 69893ff362..1e87fad908 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -15,9 +15,18 @@ manager: dansimp
The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
-The following diagram shows the Messaging configuration service provider in tree format.
+The following shows the Messaging configuration service provider in tree format.
-
+```console
+./User/Vendor/MSFT
+Messaging
+----AuditingLevel
+----Auditing
+--------Messages
+----------Count
+----------RevisionId
+----------Data
+```
**./User/Vendor/MSFT/Messaging**
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index ceacdde6dd..149069b97b 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -66,13 +66,13 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
## Disable MDM enrollments
-Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
+In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
Here is the corresponding registry key:
-Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
+HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Value: DisableRegistration
@@ -80,19 +80,8 @@ Value: DisableRegistration
The following scenarios do not allow MDM enrollments:
-- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
-- Standard users cannot enroll in MDM. Only admin users can enroll.
-- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
-
-## Enrollment migration
-
-**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
-
-Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
-
-To manually trigger enrollment migration, you can run MDMMaintenenceTask.
-
-**Mobile devices:** After the MDM client upgrade from Windows Phone 8.1 to Windows 10 Mobile, enrollment migration is performed during the first boot after the upgrade.
+- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
+- Standard users cannot enroll in MDM. Only admin users can enroll.
## Enrollment error messages
@@ -121,75 +110,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
```
-
-
-
-
-
-
-
-
-
-
-
Namespace
-
Subcode
-
Error
-
Description
-
HRESULT
-
-
-
-
-
s:
-
MessageFormat
-
MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
-
Message format is bad
-
80180001
-
-
-
s:
-
Authentication
-
MENROLL_E_DEVICE_AUTHENTICATION_ERROR
-
User not recognized
-
80180002
-
-
-
s:
-
Authorization
-
MENROLL_E_DEVICE_AUTHORIZATION_ERROR
-
User not allowed to enroll
-
80180003
-
-
-
s:
-
CertificateRequest
-
MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR
-
Failed to get certificate
-
80180004
-
-
-
s:
-
EnrollmentServer
-
MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
-
-
80180005
-
-
-
a:
-
InternalServiceFault
-
MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
-
The server hit an unexpected issue
-
80180006
-
-
-
a:
-
InvalidSecurity
-
MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
-
Cannot parse the security header
-
80180007
-
-
-
+**Sample error messages**
+
+- **Namespace**: `s:`
+ - **Subcode**: MessageFormat
+ - **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
+ - **Description**: Invalid message from the Mobile Device Management (MDM) server.
+ - **HRESULT**: 80180001
+
+- **Namespace**: `s:`
+ - **Subcode**: Authentication
+ - **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR
+ - **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.
+ - **HRESULT**: 80180002
+
+- **Namespace**: `s:`
+ - **Subcode**: Authorization
+ - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR
+ - **Description**: The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
+ - **HRESULT**: 80180003
+
+- **Namespace**: `s:`
+ - **Subcode**: CertificateRequest
+ - **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR
+ - **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.
+ - **HRESULT**: 80180004
+
+- **Namespace**: `s:`
+ - **Subcode**: EnrollmentServer
+ - **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
+ - **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.
+ - **HRESULT**: 80180005
+
+- **Namespace**: `a:`
+ - **Subcode**: InternalServiceFault
+ - **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
+ - **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.
+ - **HRESULT**: 80180006
+
+- **Namespace**: `a:`
+ - **Subcode**: InvalidSecurity
+ - **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
+ - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.
+ - **HRESULT**: 80180007
In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
@@ -223,66 +186,42 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
```
-
-
-
-
-
-
-
-
-
-
Subcode
-
Error
-
Description
-
HRESULT
-
-
-
-
-
DeviceCapReached
-
MENROLL_E_DEVICECAPREACHED
-
User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.
-
80180013
-
-
-
DeviceNotSupported
-
MENROLL_E_DEVICENOTSUPPORTED
-
Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.
-
80180014
-
-
-
NotSupported
-
MENROLL_E_NOTSUPPORTED
-
Mobile device management generally not supported (would save an admin call)
-
80180015
-
-
-
NotEligibleToRenew
-
MENROLL_E_NOTELIGIBLETORENEW
-
Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.
-
80180016
-
-
-
InMaintenance
-
MENROLL_E_INMAINTENANCE
-
Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.
-
80180017
-
-
-
UserLicense
-
MENROLL_E_USERLICENSE
-
License of user is in bad state and blocking the enrollment. The user needs to call the admin.
-
80180018
-
-
-
InvalidEnrollmentData
-
MENROLL_E_ENROLLMENTDATAINVALID
-
The server rejected the enrollment data. The server may not be configured correctly.
-
80180019
-
-
-
+**Sample error messages**
+
+- **Subcode**: DeviceCapReached
+ - **Error**: MENROLL_E_DEVICECAPREACHED
+ - **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.
+ - **HRESULT**: 80180013
+
+- **Subcode**: DeviceNotSupported
+ - **Error**: MENROLL_E_DEVICENOTSUPPORTED
+ - **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.
+ - **HRESULT**: 80180014
+
+- **Subcode**: NotSupported
+ - **Error**: MENROLL_E_NOT_SUPPORTED
+ - **Description**: Mobile Device Management (MDM) is generally not supported for this device.
+ - **HRESULT**: 80180015
+
+- **Subcode**: NotEligibleToRenew
+ - **Error**: MENROLL_E_NOTELIGIBLETORENEW
+ - **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.
+ - **HRESULT**: 80180016
+
+- **Subcode**: InMaintenance
+ - **Error**: MENROLL_E_INMAINTENANCE
+ - **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later.
+ - **HRESULT**: 80180017
+
+- **Subcode**: UserLicense
+ - **Error**: MENROLL_E_USER_LICENSE
+ - **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.
+ - **HRESULT**: 80180018
+
+- **Subcode**: InvalidEnrollmentData
+ - **Error**: MENROLL_E_ENROLLMENTDATAINVALID
+ - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.
+ - **HRESULT**: 80180019
TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
@@ -291,4 +230,4 @@ TraceID is a freeform text node which is logged. It should identify the server s
- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
-- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
\ No newline at end of file
+- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index 89d18c8eff..598e95c756 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -14,17 +14,16 @@ ms.date: 06/26/2017
# NAP CSP
-
The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections.
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
-
+> [!Note]
+> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
For the NAP CSP, you cannot use the Replace command unless the node already exists.
The following shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-```
+
+```console
./Vendor/MSFT
NAP
----*
@@ -61,6 +60,7 @@ NAP
----------------Secure
----------------SecureLevel
```
+
**./Vendor/MSFT/NAP**
Root node.
@@ -87,34 +87,11 @@ Required. Specifies the type of address used to identify the destination network
The following table shows some commonly used ADDRTYPE values and the types of connection that corresponds with each value.
-
-
-
-
-
-
-
-
ADDRTYPE Value
-
Connection Type
-
-
-
-
-
E164
-
RAS connections
-
-
-
APN
-
GPRS connections
-
-
-
ALPHA
-
Wi-Fi-based connections
-
-
-
-
-
+|ADDRTYPE Value|Connection Type|
+|--- |--- |
+|E164|RAS connections|
+|APN|GPRS connections|
+|ALPHA|Wi-Fi-based connections|
***NAPX*/AuthInfo**
Optional node. Specifies the authentication information, including the protocol, user name, and password.
@@ -136,17 +113,7 @@ Node.
***NAPX*/Bearer/BearerType**
Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
-## Related topics
-
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 0b715c1a53..c145824e5c 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -14,24 +14,48 @@ ms.date: 06/26/2017
# NAPDEF CSP
-
The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
-> **Note** You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
+> [!Note]
+> You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
>
->
->
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
+> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
-
+The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
+```console
+NAPDEF
+----NAPAUTHINFO
+------AUTHNAME
+------AUTHSECRET
+------AUTHTYPE
+----BEARER
+----INTERNET
+----LOCAL-ADDR
+----LOCAL-ADDRTYPE
+----NAME
+----NAP-ADDRESS
+----NAP-ADDRTYPE
+----NAPID
+```
-
+The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-
-
+```console
+NAPDEF
+--NAPID
+----NAPAUTHINFO
+------AUTHNAME
+------AUTHSECRET
+------AUTHTYPE
+----BEARER
+----INTERNET
+----LOCAL-ADDR
+----LOCAL-ADDRTYPE
+----NAME
+----NAP-ADDRESS
+----NAP-ADDRTYPE
+```
**NAPAUTHINFO**
Defines a group of authentication settings.
@@ -49,9 +73,8 @@ Specifies the protocol used to authenticate the user.
The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
-> **Note** **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change.
-
-
+> [!Note]
+> **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change.
**BEARER**
Specifies the type of bearer.
@@ -96,54 +119,15 @@ The name of the *NAPID* element is the same as the value passed during initial b
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
-
-
-
-
-
-
-
-
ELements
-
Available
-
-
-
-
-
parm-query
-
Yes
-
Note that some GPRS parameters will not necessarily contain the exact same value as was set.
-
-
-
noparm
-
Yes
-
-
-
nocharacteristic
-
Yes
-
-
-
characteristic-query
-
Yes
-
-
-
-
-
-
-## Related topics
+|Elements|Available|
+|--- |--- |
+|Parm-query|Yes Note that some GPRS parameters will not necessarily contain the exact same value as was set.|
+|Noparm|Yes|
+|Nocharacteristic|Yes|
+|Characteristic-query|Yes|
+## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 19462512ee..fe432fef92 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -29,7 +29,7 @@ The following actions are supported:
> - Azure AD Hybrid joined devices.
> - Devices that use both GPO and CSP at the same time.
>
-> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
+> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004.
The following shows the NetworkQoSPolicy configuration service provider in tree format.
```
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 272489e4a8..c21357f4a9 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1,6 +1,6 @@
---
title: What's new in MDM enrollment and management
-description: Discover what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
+description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
MS-HAID:
- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview'
- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management'
@@ -18,215 +18,24 @@ ms.date: 10/20/2020
# What's new in mobile device enrollment and management
-This article provides information about what's new in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. This article also provides details about the breaking changes and known issues and frequently asked questions.
+This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions.
-For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
+For details about Microsoft mobile device management protocols for Windows 10 and Windows 11 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
-## What’s new in MDM for Windows 10, version 20H2
+
+## What’s new in MDM for Windows 11, version 21H2
|New or updated article|Description|
|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2: - [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent) - [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) - [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) - [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled) - [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) - [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
-| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node: -Properties/SleepMode |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node: - Settings/AllowWindowsDefenderApplicationGuard |
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 11, version 21H2: - NewsAndInterests/AllowNewsAndInterests - Experiences/ConfigureChatIcon - Start/ConfigureStartPins - Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity - Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable |
+| [DMClient CSP](dmclient-csp.md) | Updated the description of the following node: - Provider/ProviderID/ConfigLock/Lock - Provider/ProviderID/ConfigLock/UnlockDuration - Provider/ProviderID/ConfigLock/SecuredCore |
-## What’s new in MDM for Windows 10, version 2004
-
-| New or updated article | Description |
-|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004: - [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall) - [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize) - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) - [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) - [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) - [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator) - [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion) - [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion) - [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)
Updated the following policy in Windows 10, version 2004: - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
Deprecated the following policies in Windows 10, version 2004: - [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) - [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) |
-| [DevDetail CSP](devdetail-csp.md) | Added the following new node: - Ext/Microsoft/DNSComputerName |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node: - IsStub |
-| [SUPL CSP](supl-csp.md) | Added the following new node: - FullVersion |
-
-## What’s new in MDM for Windows 10, version 1909
-
-| New or updated article | Description |
-|-----|-----|
-| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909: - ConfigureRecoveryPasswordRotation - RotateRecoveryPasswords - RotateRecoveryPasswordsStatus - RotateRecoveryPasswordsRequestID|
-
-## What’s new in MDM for Windows 10, version 1903
-
-| New or updated article | Description |
-|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903: - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids) - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids) - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery) - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery) - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin) - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery) - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin) - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery) - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery) - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin) - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery) - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles) - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory) - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations) - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup) - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)|
-| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
-| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
-| [Defender CSP](defender-csp.md) | Added the following new nodes: - Health/TamperProtectionEnabled - Health/IsVirtualMachine - Configuration - Configuration/TamperProtection - Configuration/EnableFileHashComputation |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes: - Policy - Policy/Channels - Policy/Channels/ChannelName - Policy/Channels/ChannelName/MaximumFileSize - Policy/Channels/ChannelName/SDDL - Policy/Channels/ChannelName/ActionWhenFull - Policy/Channels/ChannelName/Enabled - DiagnosticArchive - DiagnosticArchive/ArchiveDefinition - DiagnosticArchive/ArchiveResults |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes: - SecurityKey - SecurityKey/UseSecurityKeyForSignin |
-
-
-## What’s new in MDM for Windows 10, version 1809
-
-| New or updated article | Description |
-|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809: - ApplicationManagement/LaunchAppAfterLogOn - ApplicationManagement/ScheduleForceRestartForUpdateFailures - Authentication/EnableFastFirstSignIn (Preview mode only) - Authentication/EnableWebSignIn (Preview mode only) - Authentication/PreferredAadTenantDomainName - Browser/AllowFullScreenMode - Browser/AllowPrelaunch - Browser/AllowPrinting - Browser/AllowSavingHistory - Browser/AllowSideloadingOfExtensions - Browser/AllowTabPreloading - Browser/AllowWebContentOnNewTabPage - Browser/ConfigureFavoritesBar - Browser/ConfigureHomeButton - Browser/ConfigureKioskMode - Browser/ConfigureKioskResetAfterIdleTimeout - Browser/ConfigureOpenMicrosoftEdgeWith - Browser/ConfigureTelemetryForMicrosoft365Analytics - Browser/PreventCertErrorOverrides - Browser/SetHomeButtonURL - Browser/SetNewTabPageURL - Browser/UnlockHomeButton - Defender/CheckForSignaturesBeforeRunningScan - Defender/DisableCatchupFullScan - Defender/DisableCatchupQuickScan - Defender/EnableLowCPUPriority - Defender/SignatureUpdateFallbackOrder - Defender/SignatureUpdateFileSharesSources - DeviceGuard/ConfigureSystemGuardLaunch - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses - DeviceInstallation/PreventDeviceMetadataFromNetwork - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - DmaGuard/DeviceEnumerationPolicy - Experience/AllowClipboardHistory - Experience/DoNotSyncBrowserSettings - Experience/PreventUsersFromTurningOnBrowserSyncing - Kerberos/UPNNameHints - Privacy/AllowCrossDeviceClipboard - Privacy/DisablePrivacyExperience - Privacy/UploadUserActivities - Security/RecoveryEnvironmentAuthentication - System/AllowDeviceNameInDiagnosticData - System/ConfigureMicrosoft365UploadEndpoint - System/DisableDeviceDelete - System/DisableDiagnosticDataViewer - Storage/RemovableDiskDenyWriteAccess - TaskManager/AllowEndTask - Update/DisableWUfBSafeguards - Update/EngagedRestartDeadlineForFeatureUpdates - Update/EngagedRestartSnoozeScheduleForFeatureUpdates - Update/EngagedRestartTransitionScheduleForFeatureUpdates - Update/SetDisablePauseUXAccess - Update/SetDisableUXWUAccess - WindowsDefenderSecurityCenter/DisableClearTpmButton - WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning - WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl - WindowsLogon/DontDisplayNetworkSelectionUI |
-| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. |
-| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. |
-| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. |
-| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. |
-| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. |
-| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. |
-| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. |
-| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. |
-| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. |
-| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. |
-
-
-## What’s new in MDM for Windows 10, version 1803
-
-| New or updated article | Description |
-|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1803: - ApplicationDefaults/EnableAppUriHandlers - ApplicationManagement/MSIAllowUserControlOverInstall - ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges - Bluetooth/AllowPromptedProximalConnections - Browser/AllowConfigurationUpdateForBooksLibrary - Browser/AlwaysEnableBooksLibrary - Browser/EnableExtendedBooksTelemetry - Browser/UseSharedFolderForBooks - Connectivity/AllowPhonePCLinking - DeliveryOptimization/DODelayBackgroundDownloadFromHttp - DeliveryOptimization/DODelayForegroundDownloadFromHttp - DeliveryOptimization/DOGroupIdSource - DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth - DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth - DeliveryOptimization/DORestrictPeerSelectionBy - DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth - DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth - Display/DisablePerProcessDpiForApps - Display/EnablePerProcessDpi - Display/EnablePerProcessDpiForApps - Experience/AllowWindowsSpotlightOnSettings - KioskBrowser/BlockedUrlExceptions - KioskBrowser/BlockedUrls - KioskBrowser/DefaultURL - KioskBrowser/EnableEndSessionButton - KioskBrowser/EnableHomeButton - KioskBrowser/EnableNavigationButtons - KioskBrowser/RestartOnIdleTime - LanmanWorkstation/EnableInsecureGuestLogons - LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon - LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia - LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters - LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly - LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares - LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares - LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM - LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange - LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers - LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile - LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation - LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode - Notifications/DisallowCloudNotification - RestrictedGroups/ConfigureGroupMembership - Search/AllowCortanaInAAD - Search/DoNotUseWebResults - Security/ConfigureWindowsPasswords - Start/DisableContextMenus - System/FeedbackHubAlwaysSaveDiagnosticsLocally - SystemServices/ConfigureHomeGroupListenerServiceStartupMode - SystemServices/ConfigureHomeGroupProviderServiceStartupMode - SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode - SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode - SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode - SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode - TaskScheduler/EnableXboxGameSaveTask - TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode - TextInput/ForceTouchKeyboardDockedState - TextInput/TouchKeyboardDictationButtonAvailability - TextInput/TouchKeyboardEmojiButtonAvailability - TextInput/TouchKeyboardFullModeAvailability - TextInput/TouchKeyboardHandwritingModeAvailability - TextInput/TouchKeyboardNarrowModeAvailability - TextInput/TouchKeyboardSplitModeAvailability - TextInput/TouchKeyboardWideModeAvailability - Update/ConfigureFeatureUpdateUninstallPeriod - Update/TargetReleaseVersion - UserRights/AccessCredentialManagerAsTrustedCaller - UserRights/AccessFromNetwork - UserRights/ActAsPartOfTheOperatingSystem - UserRights/AllowLocalLogOn - UserRights/BackupFilesAndDirectories - UserRights/ChangeSystemTime - UserRights/CreateGlobalObjects - UserRights/CreatePageFile - UserRights/CreatePermanentSharedObjects - UserRights/CreateSymbolicLinks - UserRights/CreateToken - UserRights/DebugPrograms - UserRights/DenyAccessFromNetwork - UserRights/DenyLocalLogOn - UserRights/DenyRemoteDesktopServicesLogOn - UserRights/EnableDelegation - UserRights/GenerateSecurityAudits - UserRights/ImpersonateClient - UserRights/IncreaseSchedulingPriority - UserRights/LoadUnloadDeviceDrivers - UserRights/LockMemory - UserRights/ManageAuditingAndSecurityLog - UserRights/ManageVolume - UserRights/ModifyFirmwareEnvironment - UserRights/ModifyObjectLabel - UserRights/ProfileSingleProcess - UserRights/RemoteShutdown - UserRights/RestoreFilesAndDirectories - UserRights/TakeOwnership - WindowsDefenderSecurityCenter/DisableAccountProtectionUI - WindowsDefenderSecurityCenter/DisableDeviceSecurityUI - WindowsDefenderSecurityCenter/HideRansomwareDataRecovery - WindowsDefenderSecurityCenter/HideSecureBoot - WindowsDefenderSecurityCenter/HideTPMTroubleshooting - Security/RequireDeviceEncryption - updated to show it is supported in desktop. |
-| [Accounts CSP](accounts-csp.md) | Added a new CSP in Windows 10, version 1803. |
-| [AccountManagement CSP](accountmanagement-csp.md) | Added a new CSP in Windows 10, version 1803. |
-| [AssignedAccess CSP](assignedaccess-csp.md) | Added the following nodes in Windows 10, version 1803: - Status - ShellLauncher - StatusConfiguration
Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite. |
-| [BitLocker CSP](bitlocker-csp.md) | Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803. |
-| [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) | Added the DDF download of Windows 10, version 1803 configuration service providers. |
-| [Defender CSP](defender-csp.md) | Added new node (OfflineScan) in Windows 10, version 1803. |
-| [DeviceStatus CSP](devicestatus-csp.md) | Added the following node in Windows 10, version 1803: - OS/Mode |
-| [DMClient CSP](dmclient-csp.md) | Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803: - AADSendDeviceToken - BlockInStatusPage - AllowCollectLogsButton - CustomErrorText - SkipDeviceStatusPage - SkipUserStatusPage |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following node in Windows 10, version 1803: - MaintainProcessorArchitectureOnUpdate |
-| [eUICCs CSP](euiccs-csp.md) | Added the following node in Windows 10, version 1803: - IsEnabled |
-| [MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat) | MDM Migration Analysis Too (MMAT) Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies. |
-| [MultiSIM CSP](multisim-csp.md) | Added a new CSP in Windows 10, version 1803. |
-| [NetworkProxy CSP](networkproxy-csp.md) | Added the following node in Windows 10, version 1803: - ProxySettingsPerUser |
-| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | Added the following node in Windows 10, version 1803: - UntrustedCertificates |
-| [UEFI CSP](uefi-csp.md) | Added a new CSP in Windows 10, version 1803. |
-| [Update CSP](update-csp.md) | Added the following nodes in Windows 10, version 1803: - Rollback - Rollback/FeatureUpdate - Rollback/QualityUpdateStatus - Rollback/FeatureUpdateStatus |
-
-## What’s new in MDM for Windows 10, version 1709
-
-| New or updated article | Description |
-|-----|-----|
-| The [The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) | The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message: - UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. -ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need. - DomainName - fully qualified domain name if the device is domain-joined. |
-| [Firewall CSP](firewall-csp.md) | Added new CSP in Windows 10, version 1709. |
-| [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md) | New CSP added in Windows 10, version 1709. Also added the DDF topic. |
-| [CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md) | In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. |
-| [VPNv2 CSP](vpnv2-csp.md) | Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709. |
-| [DeviceStatus CSP](devicestatus-csp.md) | Added the following settings in Windows 10, version 1709: - DeviceStatus/DomainName - DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq - DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus - DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus |
-| [AssignedAccess CSP](assignedaccess-csp.md) | Added the following setting in Windows 10, version 1709: - Configuration Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro. |
-| [DeviceManageability CSP](devicemanageability-csp.md) | Added the following settings in Windows 10, version 1709: - Provider/_ProviderID_/ConfigInfo - Provider/_ProviderID_/EnrollmentInfo |
-| [Office CSP](office-csp.md) | Added the following setting in Windows 10, version 1709: - Installation/CurrentStatus |
-| [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF articles. |
-| [Bitlocker CSP](bitlocker-csp.md) | Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. |
-| [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) | Added new policies. |
-| Microsoft Store for Business and Microsoft Store | Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. |
-| [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) | New features in the Settings app: - User sees installation progress of critical policies during MDM enrollment. - User knows what policies, profiles, apps MDM has configured - IT helpdesk can get detailed MDM diagnostic information using client tools For details, see [Managing connection](./mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](./mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs).|
-| [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) | Added new topic to introduce a new Group Policy for automatic MDM enrollment. |
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1709: - Authentication/AllowAadPasswordReset - Authentication/AllowFidoDeviceSignon - Browser/LockdownFavorites - Browser/ProvisionFavorites - Cellular/LetAppsAccessCellularData - Cellular/LetAppsAccessCellularData_ForceAllowTheseApps - Cellular/LetAppsAccessCellularData_ForceDenyTheseApps - Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps - CredentialProviders/DisableAutomaticReDeploymentCredentials - DeviceGuard/EnableVirtualizationBasedSecurity - DeviceGuard/RequirePlatformSecurityFeatures - DeviceGuard/LsaCfgFlags - DeviceLock/MinimumPasswordAge - ExploitGuard/ExploitProtectionSettings - Games/AllowAdvancedGamingServices - Handwriting/PanelDefaultModeDocked - LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts - LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount - LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount - LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked - LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn - LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn - LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL - LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn - LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM - LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests - LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn - LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations - LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode - LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation - LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations - Power/DisplayOffTimeoutOnBattery - Power/DisplayOffTimeoutPluggedIn - Power/HibernateTimeoutOnBattery - Power/HibernateTimeoutPluggedIn - Power/StandbyTimeoutOnBattery - Power/StandbyTimeoutPluggedIn - Privacy/EnableActivityFeed - Privacy/PublishUserActivities - Defender/AttackSurfaceReductionOnlyExclusions - Defender/AttackSurfaceReductionRules - Defender/CloudBlockLevel - Defender/CloudExtendedTimeout - Defender/ControlledFolderAccessAllowedApplications - Defender/ControlledFolderAccessProtectedFolders - Defender/EnableControlledFolderAccess - Defender/EnableNetworkProtection - Education/DefaultPrinterName - Education/PreventAddingNewPrinters - Education/PrinterNames - Search/AllowCloudSearch - Security/ClearTPMIfNotReady - Settings/AllowOnlineTips - Start/HidePeopleBar - Storage/AllowDiskHealthModelUpdates - System/DisableEnterpriseAuthProxy - System/LimitEnhancedDiagnosticDataWindowsAnalytics - Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork - Update/DisableDualScan - Update/ManagePreviewBuilds - Update/ScheduledInstallEveryWeek - Update/ScheduledInstallFirstWeek - Update/ScheduledInstallFourthWeek - Update/ScheduledInstallSecondWeek - Update/ScheduledInstallThirdWeek - WindowsDefenderSecurityCenter/CompanyName - WindowsDefenderSecurityCenter/DisableAppBrowserUI - WindowsDefenderSecurityCenter/DisableEnhancedNotifications - WindowsDefenderSecurityCenter/DisableFamilyUI - WindowsDefenderSecurityCenter/DisableHealthUI - WindowsDefenderSecurityCenter/DisableNetworkUI - WindowsDefenderSecurityCenter/DisableNotifications - WindowsDefenderSecurityCenter/DisableVirusUI - WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride - WindowsDefenderSecurityCenter/Email - WindowsDefenderSecurityCenter/EnableCustomizedToasts - WindowsDefenderSecurityCenter/EnableInAppCustomization - WindowsDefenderSecurityCenter/Phone - WindowsDefenderSecurityCenter/URL - WirelessDisplay/AllowMdnsAdvertisement - WirelessDisplay/AllowMdnsDiscovery |
-
-
-## What’s new in MDM for Windows 10, version 1703
-
-| New or updated article | Description |
-|-----|-----|
-| [Update CSP](update-csp.md) | Added the following nodes: - FailedUpdates/_Failed Update Guid_/RevisionNumber - InstalledUpdates/_Installed Update Guid_/RevisionNumber - PendingRebootUpdates/_Pending Reboot Update Guid_/RevisionNumber |
-| [CM_CellularEntries CSP](cm-cellularentries-csp.md) | To PurposeGroups setting, added the following values: - Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB - Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 |
-| [CertificateStore CSP](certificatestore-csp.md) | Added the following setting: - My/WSTEP/Renew/RetryAfterExpiryInterval |
-| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | Added the following setting: - SCEP/UniqueID/Install/AADKeyIdentifierList |
-| [DMAcc CSP](dmacc-csp.md) | Added the following setting: - AccountUID/EXT/Microsoft/InitiateSession |
-| [DMClient CSP](dmclient-csp.md) | Added the following nodes and settings: - HWDevID - Provider/ProviderID/ManagementServerToUpgradeTo - Provider/ProviderID/CustomEnrollmentCompletePage - Provider/ProviderID/CustomEnrollmentCompletePage/Title - Provider/ProviderID/CustomEnrollmentCompletePage/BodyText - Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref - Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText |
-| [CellularSettings CSP](cellularsettings-csp.md) [CM_CellularEntries CSP](cm-cellularentries-csp.md) [EnterpriseAPN CSP](enterpriseapn-csp.md) | For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions. |
-| [SecureAssessment CSP](secureassessment-csp.md) | Added the following settings: - AllowTextSuggestions - RequirePrinting |
-| [EnterpriseAPN CSP](enterpriseapn-csp.md) | Added the following setting: - Roaming |
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies: - Accounts/AllowMicrosoftAccountSignInAssistant - ApplicationDefaults/DefaultAssociationsConfiguration - Browser/AllowAddressBarDropdown - Browser/AllowFlashClickToRun - Browser/AllowMicrosoftCompatibilityList - Browser/AllowSearchEngineCustomization - Browser/ClearBrowsingDataOnExit - Browser/ConfigureAdditionalSearchEngines - Browser/DisableLockdownOfStartPages - Browser/PreventFirstRunPage - Browser/PreventLiveTileDataCollection - Browser/SetDefaultSearchEngine - Browser/SyncFavoritesBetweenIEAndMicrosoftEdge - Connectivity/AllowConnectedDevices - DeliveryOptimization/DOAllowVPNPeerCaching - DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload - DeliveryOptimization/DOMinDiskSizeAllowedToPeer - DeliveryOptimization/DOMinFileSizeToCache - DeliveryOptimization/DOMinRAMAllowedToPeer - DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay - Display/TurnOffGdiDPIScalingForApps - Display/TurnOnGdiDPIScalingForApps - EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint - EnterpriseCloudPrint/CloudPrintOAuthAuthority - EnterpriseCloudPrint/CloudPrintOAuthClientId - EnterpriseCloudPrint/CloudPrintResourceId - EnterpriseCloudPrint/DiscoveryMaxPrinterLimit - EnterpriseCloudPrint/MopriaDiscoveryResourceId - Experience/AllowFindMyDevice - Experience/AllowTailoredExperiencesWithDiagnosticData - Experience/AllowWindowsSpotlightOnActionCenter - Experience/AllowWindowsSpotlightWindowsWelcomeExperience - Location/EnableLocation - Messaging/AllowMMS - Messaging/AllowRCS - Privacy/LetAppsAccessTasks - Privacy/LetAppsAccessTasks_ForceAllowTheseApps - Privacy/LetAppsAccessTasks_ForceDenyTheseApps - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps - Privacy/LetAppsGetDiagnosticInfo - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - Privacy/LetAppsRunInBackground - Privacy/LetAppsRunInBackground_ForceAllowTheseApps - Privacy/LetAppsRunInBackground_ForceDenyTheseApps - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps - Settings/ConfigureTaskbarCalendar - Settings/PageVisibilityList - SmartScreen/EnableAppInstallControl - SmartScreen/EnableSmartScreenInShell - SmartScreen/PreventOverrideForFilesInShell - Start/AllowPinnedFolderDocuments - Start/AllowPinnedFolderDownloads - Start/AllowPinnedFolderFileExplorer - Start/AllowPinnedFolderHomeGroup - Start/AllowPinnedFolderMusic - Start/AllowPinnedFolderNetwork - Start/AllowPinnedFolderPersonalFolder - Start/AllowPinnedFolderPictures - Start/AllowPinnedFolderSettings - Start/AllowPinnedFolderVideos - Start/HideAppList - Start/HideChangeAccountSettings - Start/HideFrequentlyUsedApps - Start/HideHibernate - Start/HideLock - Start/HidePowerButton - Start/HideRecentJumplists - Start/HideRecentlyAddedApps - Start/HideRestart - Start/HideShutDown - Start/HideSignOut - Start/HideSleep - Start/HideSwitchAccount - Start/HideUserTile - Start/ImportEdgeAssets - Start/NoPinningToTaskbar - System/AllowFontProviders - System/DisableOneDriveFileSync - TextInput/AllowKeyboardTextSuggestions - TimeLanguageSettings/AllowSet24HourClock - Update/ActiveHoursMaxRange - Update/AutoRestartDeadlinePeriodInDays - Update/AutoRestartNotificationSchedule - Update/AutoRestartRequiredNotificationDismissal - Update/DetectionFrequency - Update/EngagedRestartDeadline - Update/EngagedRestartSnoozeSchedule - Update/EngagedRestartTransitionSchedule - Update/IgnoreMOAppDownloadLimit - Update/IgnoreMOUpdateDownloadLimit - Update/PauseFeatureUpdatesStartTime - Update/PauseQualityUpdatesStartTime - Update/SetAutoRestartNotificationDisable - Update/SetEDURestart - WiFi/AllowWiFiDirect - WindowsLogon/HideFastUserSwitching - WirelessDisplay/AllowProjectionFromPC - WirelessDisplay/AllowProjectionFromPCOverInfrastructure - WirelessDisplay/AllowProjectionToPCOverInfrastructure - WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver Removed TextInput/AllowLinguisticDataCollection Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in IoT Enterprise Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days. Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft. Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis. Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files. |
-| [DevDetail CSP](devdetail-csp.md) | Added the following setting: - DeviceHardwareData |
-| [CleanPC CSP](cleanpc-csp.md) | Added the new CSP. |
-| [DeveloperSetup CSP](developersetup-csp.md) | Added the new CSP. |
-| [NetworkProxy CSP](networkproxy-csp.md) | Added the new CSP. |
-| [BitLocker CSP](bitlocker-csp.md) | Added the new CSP.
Added the following setting: - AllowWarningForOtherDiskEncryption |
-| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. Added the following settings: - RevokeOnMDMHandoff - SMBAutoEncryptedFileExtensions |
-| [DynamicManagement CSP](dynamicmanagement-csp.md) | Added the new CSP. |
-| [Implement server-side support for mobile application management on Windows](./implement-server-side-mobile-application-management.md) | New mobile application management (MAM) support added in Windows 10, version 1703. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added the following new node and settings: - _TenantId_/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT) - _TenantId_/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT) - _TenantId_/Policies/EnablePinRecovery |
-| [Office CSP](office-csp.md) | Added the new CSP. |
-| [Personalization CSP](personalization-csp.md) | Added the new CSP. |
-| [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) | Added the new CSP. |
-| [HealthAttestation CSP](healthattestation-csp.md) | Added the following settings: - HASEndpoint - added in Windows 10, version 1607, but not documented - TpmReadyStatus - added in the March service release of Windows 10, version 1607 |
-| [SurfaceHub CSP](surfacehub-csp.md) | Added the following nodes and settings: - InBoxApps/SkypeForBusiness - InBoxApps/SkypeForBusiness/DomainName - InBoxApps/Connect - InBoxApps/Connect/AutoLaunch - Properties/DefaultVolume - Properties/ScreenTimeout - Properties/SessionTimeout - Properties/SleepTimeout - Properties/AllowSessionResume - Properties/AllowAutoProxyAuth - Properties/DisableSigninSuggestions - Properties/DoNotShowMyMeetingsAndFiles |
-| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | Added the new CSP. |
-| [WindowsLicensing CSP](windowslicensing-csp.md) | Added the following setting: - ChangeProductKey |
-| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | Added the following setting: - Configuration/TelemetryReportingFrequency |
-| [DMSessionActions CSP](dmsessionactions-csp.md) | Added the new CSP. |
-| [SharedPC CSP](dmsessionactions-csp.md) | Added new settings in Windows 10, version 1703: - RestrictLocalStorage - KioskModeAUMID - KioskModeUserTileDisplayText - InactiveThreshold - MaxPageFileSizeMB The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300. |
-| [RemoteLock CSP](remotelock-csp.md) | Added following setting: - LockAndRecoverPIN |
-| [NodeCache CSP](nodecache-csp.md) | Added following settings: - ChangedNodesData - AutoSetExpectedValue |
-| [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) | Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF articles of various CSPs. |
-| [RemoteWipe CSP](remotewipe-csp.md) | Added new setting in Windows 10, version 1703: - doWipeProtected |
-| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes and properties. |
-| [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md) | Added a section describing SyncML examples of various ADMX elements. |
-| [Win32 and Desktop Bridge app policy configuration](./win32-and-centennial-app-policy-configuration.md) | New article. |
-| [Deploy and configure App-V apps using MDM](./appv-deploy-and-config.md) | Added a new article describing how to deploy and configure App-V apps using MDM. |
-| [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) | Added new setting in the March service release of Windows 10, version 1607. - MSI/UpgradeCode/[Guid] |
-| [Reporting CSP](reporting-csp.md) | Added new settings in Windows 10, version 1703. - EnterpriseDataProtection/RetrieveByTimeRange/Type - EnterpriseDataProtection/RetrieveByCount/Type |
-| [Connect your Windows 10-based device to work using a deep link](./mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link) | Added following deep link parameters to the table: - Username - Servername - Accesstoken - Deviceidentifier - Tenantidentifier - Ownership |
-| MDM support for Windows 10 S | Updated the following articles to indicate MDM support in Windows 10 S. - [Configuration service provider reference](configuration-service-provider-reference.md) - [Policy CSP](policy-configuration-service-provider.md) |
-| [TPMPolicy CSP](tpmpolicy-csp.md) | Added the new CSP. |
-
-## What’s new in MDM for Windows 10, version 1607
-
-| New or updated article | Description |
-|-----|-----|
-| Sideloading of apps | Starting in Windows 10, version 1607, sideloading of apps is only allowed through [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices. |
-| [NodeCache CSP](nodecache-csp.md) | The value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache. |
-| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | New CSP. |
-| [Policy CSP](policy-configuration-service-provider.md) | Removed the following policies: - DataProtection/AllowAzureRMSForEDP - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) - DataProtection/AllowUserDecryption - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) - DataProtection/EDPEnforcementLevel - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) - DataProtection/RequireProtectionUnderLockConfig - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) - DataProtection/RevokeOnUnenroll - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) - DataProtection/EnterpriseCloudResources - moved this policy to NetworkIsolation policy - DataProtection/EnterpriseInternalProxyServers - moved this policy to NetworkIsolation policy - DataProtection/EnterpriseIPRange - moved this policy to NetworkIsolation policy - DataProtection/EnterpriseNetworkDomainNames - moved this policy to NetworkIsolation policy - DataProtection/EnterpriseProxyServers - moved this policy to NetworkIsolation policy - Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices - this policy has been deprecated.
Added the WiFi/AllowManualWiFiConfiguration and WiFi/AllowWiFi policies for Windows 10, version 1607: - Windows 10 Pro - Windows 10 Enterprise - Windows 10 Education
Updated the Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts description to remove outdated information.
Updated DeliveryOptimization/DODownloadMode to add new values.
Updated Experience/AllowCortana description to clarify what each supported value does.
Updated Security/AntiTheftMode description to clarify what each supported value does. |
-| [DMClient CSP](dmclient-csp.md) | Added the following settings: - ManagementServerAddressList - AADDeviceID - EnrollmentType - HWDevID - CommercialID
Removed the EnrollmentID setting. |
-| [DeviceManageability CSP](devicemanageability-csp.md) | New CSP. |
-| [DeviceStatus CSP](devicestatus-csp.md) | Added the following new settings: - DeviceStatus/TPM/SpecificationVersion - DeviceStatus/OS/Edition - DeviceStatus/Antivirus/SignatureStatus - DeviceStatus/Antivirus/Status - DeviceStatus/Antispyware/SignatureStatus - DeviceStatus/Antispyware/Status - DeviceStatus/Firewall/Status - DeviceStatus/UAC/Status - DeviceStatus/Battery/Status - DeviceStatus/Battery/EstimatedChargeRemaining - DeviceStatus/Battery/EstimatedRuntime |
-| [AssignedAccess CSP](assignedaccess-csp.md) | Added SyncML examples. |
-| [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) | Added a new Folder table entry in the AssignedAccess/AssignedAccessXml description. Updated the DDF and XSD file sections. |
-| [SecureAssessment CSP](secureassessment-csp.md) | New CSP. |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.3 of the CSP with two new settings.
Added the new 1.3 version of the DDF.
Added the following new settings in Windows 10, version 1607 - DeviceStateData - DeviceStateData/MdmConfiguration |
-| [Reboot CSP](reboot-csp.md) | New CSP. |
-| [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) | New CSP. |
-| [VPNv2 CSP](vpnv2-csp.md) | Added the following settings for Windows 10, version 1607: - _ProfileName_/RouteList/routeRowId/ExclusionRoute - _ProfileName_/DomainNameInformationList/_dniRowId_/AutoTrigger - _ProfileName_/DomainNameInformationList/dniRowId/Persistent - _ProfileName_/ProfileXML - _ProfileName_/DeviceCompliance/Enabled - _ProfileName_/DeviceCompliance/Sso - _ProfileName_/DeviceCompliance/Sso/Enabled - _ProfileName_/DeviceCompliance/Sso/IssuerHash - _ProfileName_/DeviceCompliance/Sso/Eku - _ProfileName_/NativeProfile/CryptographySuite - _ProfileName_/NativeProfile/CryptographySuite/AuthenticationTransformConstants - _ProfileName_/NativeProfile/CryptographySuite/CipherTransformConstants - _ProfileName_/NativeProfile/CryptographySuite/EncryptionMethod - _ProfileName_/NativeProfile/CryptographySuite/IntegrityCheckMethod - _ProfileName_/NativeProfile/CryptographySuite/DHGroup - _ProfileName_/NativeProfile/CryptographySuite/PfsGroup - _ProfileName_/NativeProfile/L2tpPsk |
-| [Win32AppInventory CSP](win32appinventory-csp.md) | New CSP. |
-| [SharedPC CSP](sharedpc-csp.md) | New CSP. |
-| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | New CSP. |
-| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes for Windows 10, version 1607. |
-| [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) | Article renamed from "Enrollment UI".
Completely updated enrollment procedures and screenshots. |
-| [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) [UnifiedWriteFilter DDF File](unifiedwritefilter-ddf.md) | Added the following new setting for Windows 10, version 1607: - NextSession/HORMEnabled |
-| [CertificateStore CSP](certificatestore-csp.md) [CertificateStore DDF file](certificatestore-ddf-file.md) | Added the following new settings in Windows 10, version 1607: - My/WSTEP/Renew/LastRenewalAttemptTime - My/WSTEP/Renew/RenewNow |
-| [WindowsLicensing CSP](windowslicensing-csp.md) | Added the following new node and settings in Windows 10, version 1607, but not documented: - Subscriptions - Subscriptions/SubscriptionId - Subscriptions/SubscriptionId/Status - Subscriptions/SubscriptionId/Name |
-| [WiFi CSP](wifi-csp.md) | Deprecated the following node in Windows 10, version 1607: - DisableInternetConnectivityChecks |
-
-## What’s new in MDM for Windows 10, version 1511
-
-| New or updated article | Description |
-|-----|-----|
-| New configuration service providers added in Windows 10, version 1511 | - [AllJoynManagement CSP](alljoynmanagement-csp.md) - [Maps CSP](maps-csp.md) - [Reporting CSP](reporting-csp.md) - [SurfaceHub CSP](surfacehub-csp.md) - [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) |
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings: - ApplicationManagement/AllowWindowsBridgeForAndroidAppsExecution - Bluetooth/ServicesAllowedList - DataProtection/AllowAzureRMSForEDP - DataProtection/RevokeOnUnenroll - DeviceLock/DevicePasswordExpiration - DeviceLock/DevicePasswordHistory - TextInput/AllowInputPanel - Update/PauseDeferrals - Update/RequireDeferUpdate - Update/RequireUpdateApproval
Updated the following policy settings: - System/AllowLocation - Update/RequireDeferUpgrade
Deprecated the following policy settings: - TextInput/AllowKoreanExtendedHanja - WiFi/AllowWiFiHotSpotReporting |
-| Management tool for the Microsoft Store for Business | New articles. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. |
-| Custom header for generic alert | The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format: `MDM-GenericAlert: `
If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). |
-| Alert message for slow client response | When the MDM server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the [DMClient CSP](dmclient-csp.md). |
-| [DMClient CSP](dmclient-csp.md) | Added a new node EnableOmaDmKeepAliveMessage to the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) and updated the ManagementServerAddress to indicate that it can contain a list of URLs. |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new nodes: - AppManagement/GetInventoryQuery - AppManagement/GetInventoryResults - .../_PackageFamilyName_/AppSettingPolicy/_SettingValue_ - AppLicenses/StoreLicenses/_LicenseID_/LicenseCategory - AppLicenses/StoreLicenses/_LicenseID_/LicenseUsage - AppLicenses/StoreLicenses/_LicenseID_/RequesterID - AppLicenses/StoreLicenses/_LicenseID_/GetLicenseFromStore |
-| [EnterpriseExt CSP](enterpriseext-csp.md) | Added the following new nodes: - DeviceCustomData (CustomID, CustomeString) - Brightness (Default, MaxAuto) - LedAlertNotification (State, Intensity, Period, DutyCycle, Cyclecount) |
-| [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md) | Added the OemProfile node.
-| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes: - TenantId/Policies/PINComplexity/History - TenantId/Policies/PINComplexity/Expiration - TenantId/Policies/Remote/UseRemotePassport (only for ./Device/Vendor/MSFT) - Biometrics/UseBiometrics (only for ./Device/Vendor/MSFT) - Biometrics/FacialFeaturesUseEnhancedAntiSpoofing (only for ./Device/Vendor/MSFT) |
-| [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) | The following updates are done to the [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md): - In AssignedAccessXML node, added new page settings and quick action settings. - In AssignedAccessXML node, added an example about how to pin applications in multiple app packages using the AUMID. - Updated the [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md) article. |
-| [DevDetail CSP](devdetail-csp.md) | The following updates are done to [DevDetail CSP](devdetail-csp.md): - Added TotalStore and TotalRAM settings. - Added support for Replace command for the DeviceName setting. |
-| Handling large objects | Added support for the client to handle uploading of large objects to the server. |
## Breaking changes and known issues
### Get command inside an atomic command is not supported
-In Windows 10, a Get command inside an atomic command is not supported. This was allowed in Windows Phone 8 and Windows Phone 8.1.
-
-### Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10
-
-During an upgrade from Windows 8.1 to Windows 10, the notification channel URI information is not preserved. In addition, the MDM client loses the PFN, AppID, and client secret.
-
-After upgrading to Windows 10, you should call MDM\_WNSConfiguration class to recreate the notification channel URI.
+In Windows 10 and Windows 11, a Get command inside an atomic command is not supported.
### Apps installed using WMI classes are not removed
@@ -234,17 +43,17 @@ Applications installed using WMI classes are not removed when the MDM account is
### Passing CDATA in SyncML does not work
-Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10. It worked in Windows Phone 8.
+Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10 and Windows 11.
### SSL settings in IIS server for SCEP must be set to "Ignore"
-The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine.
+The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11.
-### MDM enrollment fails on the mobile device when traffic is going through proxy
+### MDM enrollment fails on the Windows device when traffic is going through proxy
-When the mobile device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network.
+When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network.
### Server-initiated unenrollment failure
@@ -254,41 +63,13 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act
### Certificates causing issues with Wi-Fi and VPN
-Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
+In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
-### Version information for mobile devices
+### Version information for Windows 11
-The software version information from **DevDetail/SwV** does not match the version in **Settings** under **System/About**.
+The software version information from **DevDetail/Ext/Microsoft/OSPlatform** does not match the version in **Settings** under **System/About**.
-### Upgrading Windows Phone 8.1 devices with app allow-listing using ApplicationRestriction policy has issues
-
-- When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile using ApplicationRestrictions with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
-
- Here's additional guidance for the upgrade process:
-
- - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
- - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher rule if you are using it.
- - In the SyncML, you must use lowercase product ID.
- - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
-
-
-- Silverlight xaps may not install even if publisher policy is specified using Windows Phone 8.1 publisher rule. For example, Silverlight app "Level" will not install even if you specify <Publisher PublisherName=”Microsoft Corporation” />.
-
- To workaround this issue, remove the Windows Phone 8.1 publisher rule and add the specific product ID for each Silverlight app you want to allow to the allowed app list.
-
-- Some apps (specifically those that are published in Microsoft Store as AppX Bundles) are blocked from installing even when they are included in the app list.
-
- No workaround is available at this time. An OS update to fix this issue is coming soon.
-
-### Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218
-
-Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework ID to your list of allowed apps.
-
-```xml
-
-```
-
-### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile
+### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.
@@ -304,25 +85,25 @@ EAP XML must be updated with relevant information for your environment This can
- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
-For information about EAP Settings, see
+For information about EAP Settings, see .
-For information about generating an EAP XML, see [EAP configuration](eap-configuration.md)
+For information about generating an EAP XML, see [EAP configuration](eap-configuration.md).
-For more information about extended key usage, see
+For more information about extended key usage, see .
-For information about adding extended key usage (EKU) to a certificate, see
+For information about adding extended key usage (EKU) to a certificate, see .
The following list describes the prerequisites for a certificate to be used with EAP:
- The certificate must have at least one of the following EKU (Extended Key Usage) properties:
- - Client Authentication
- - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2
- - Any Purpose
+ - Client Authentication.
+ - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
+ - Any Purpose.
- An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
- - All Purpose
+ - All Purpose.
- As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
-- The user or the computer certificate on the client chains to a trusted root CA
+- The user or the computer certificate on the client chains to a trusted root CA.
- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
@@ -436,40 +217,42 @@ The following XML sample explains the properties for the EAP TLS XML including c
Alternatively you can use the following procedure to create an EAP Configuration XML.
-1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article.
+1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md).
+
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
- 
+ :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png":::
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
3. Click the **Properties** button underneath the drop down menu.
+
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
- 
+ :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png":::
+
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
- 
+ :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png":::
+
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
+
7. Close the rasphone dialog box.
-8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering.
+
+8. Continue following the procedure in [EAP configuration](eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
-### Remote PIN reset not supported in Azure Active Directory joined mobile devices
-
-In Windows 10 Mobile, remote PIN reset in Azure AD joined devices are not supported. Devices are wiped when you issue a remote PIN reset command using the RemoteLock CSP.
-
### MDM client will immediately check-in with the MDM server after client renews WNS channel URI
-Starting in Windows 10, after the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
+After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
-### User provisioning failure in Azure Active Directory joined Windows 10 PC
+### User provisioning failure in Azure Active Directory joined Windows 10 and Windows 11 devices
-In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
+In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
### Requirements to note for VPN certificates also used for Kerberos Authentication
@@ -479,30 +262,89 @@ If you want to use the certificate used for VPN authentication also for Kerberos
The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service.
+
## Frequently Asked Questions
-### **Can there be more than one MDM server to enroll and manage devices in Windows 10?**
+### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11?
No. Only one MDM is allowed.
-### **How do I set the maximum number of Azure Active Directory joined devices per user?**
+### How do I set the maximum number of Azure Active Directory joined devices per user?
1. Login to the portal as tenant admin: https://manage.windowsazure.com.
2. Click Active Directory on the left pane.
3. Choose your tenant.
4. Click **Configure**.
5. Set quota to unlimited.
- 
+ :::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png":::
-### **What is dmwappushsvc?**
+### What is dmwappushsvc?
Entry | Description
--------------- | --------------------
-What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+What is dmwappushsvc? | It is a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service does not send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. Disabling this will cause your management to fail.|
+
+
+## What’s new in MDM for Windows 10, version 20H2
+
+|New or updated article|Description|
+|-----|-----|
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2: - [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent) - [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) - [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) - [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled) - [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) - [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node: - Properties/SleepMode |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node: - Settings/AllowWindowsDefenderApplicationGuard |
+
+## What’s new in MDM for Windows 10, version 2004
+
+| New or updated article | Description |
+|-----|-----|
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004: - [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall) - [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize) - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) - [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) - [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) - [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator) - [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion) - [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion) - [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)
Updated the following policy in Windows 10, version 2004: - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
Deprecated the following policies in Windows 10, version 2004: - [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) - [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) |
+| [DevDetail CSP](devdetail-csp.md) | Added the following new node: - Ext/Microsoft/DNSComputerName |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node: - IsStub |
+| [SUPL CSP](supl-csp.md) | Added the following new node: - FullVersion |
+
+## What’s new in MDM for Windows 10, version 1909
+
+| New or updated article | Description |
+|-----|-----|
+| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909: - ConfigureRecoveryPasswordRotation - RotateRecoveryPasswords - RotateRecoveryPasswordsStatus - RotateRecoveryPasswordsRequestID|
+
+## What’s new in MDM for Windows 10, version 1903
+
+| New or updated article | Description |
+|-----|-----|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903: - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids) - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids) - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery) - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery) - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin) - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery) - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin) - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery) - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery) - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin) - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery) - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles) - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory) - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations) - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup) - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)|
+| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
+| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
+| [Defender CSP](defender-csp.md) | Added the following new nodes: - Health/TamperProtectionEnabled - Health/IsVirtualMachine - Configuration - Configuration/TamperProtection - Configuration/EnableFileHashComputation |
+| [DiagnosticLog CSP](diagnosticlog-csp.md) [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes: - Policy - Policy/Channels - Policy/Channels/ChannelName - Policy/Channels/ChannelName/MaximumFileSize - Policy/Channels/ChannelName/SDDL - Policy/Channels/ChannelName/ActionWhenFull - Policy/Channels/ChannelName/Enabled - DiagnosticArchive - DiagnosticArchive/ArchiveDefinition - DiagnosticArchive/ArchiveResults |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes: - SecurityKey - SecurityKey/UseSecurityKeyForSignin |
+
+
+## What’s new in MDM for Windows 10, version 1809
+
+| New or updated article | Description |
+|-----|-----|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809: - ApplicationManagement/LaunchAppAfterLogOn - ApplicationManagement/ScheduleForceRestartForUpdateFailures - Authentication/EnableFastFirstSignIn (Preview mode only) - Authentication/EnableWebSignIn (Preview mode only) - Authentication/PreferredAadTenantDomainName - Browser/AllowFullScreenMode - Browser/AllowPrelaunch - Browser/AllowPrinting - Browser/AllowSavingHistory - Browser/AllowSideloadingOfExtensions - Browser/AllowTabPreloading - Browser/AllowWebContentOnNewTabPage - Browser/ConfigureFavoritesBar - Browser/ConfigureHomeButton - Browser/ConfigureKioskMode - Browser/ConfigureKioskResetAfterIdleTimeout - Browser/ConfigureOpenMicrosoftEdgeWith - Browser/ConfigureTelemetryForMicrosoft365Analytics - Browser/PreventCertErrorOverrides - Browser/SetHomeButtonURL - Browser/SetNewTabPageURL - Browser/UnlockHomeButton - Defender/CheckForSignaturesBeforeRunningScan - Defender/DisableCatchupFullScan - Defender/DisableCatchupQuickScan - Defender/EnableLowCPUPriority - Defender/SignatureUpdateFallbackOrder - Defender/SignatureUpdateFileSharesSources - DeviceGuard/ConfigureSystemGuardLaunch - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses - DeviceInstallation/PreventDeviceMetadataFromNetwork - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - DmaGuard/DeviceEnumerationPolicy - Experience/AllowClipboardHistory - Experience/DoNotSyncBrowserSettings - Experience/PreventUsersFromTurningOnBrowserSyncing - Kerberos/UPNNameHints - Privacy/AllowCrossDeviceClipboard - Privacy/DisablePrivacyExperience - Privacy/UploadUserActivities - Security/RecoveryEnvironmentAuthentication - System/AllowDeviceNameInDiagnosticData - System/ConfigureMicrosoft365UploadEndpoint - System/DisableDeviceDelete - System/DisableDiagnosticDataViewer - Storage/RemovableDiskDenyWriteAccess - TaskManager/AllowEndTask - Update/DisableWUfBSafeguards - Update/EngagedRestartDeadlineForFeatureUpdates - Update/EngagedRestartSnoozeScheduleForFeatureUpdates - Update/EngagedRestartTransitionScheduleForFeatureUpdates - Update/SetDisablePauseUXAccess - Update/SetDisableUXWUAccess - WindowsDefenderSecurityCenter/DisableClearTpmButton - WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning - WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl - WindowsLogon/DontDisplayNetworkSelectionUI |
+| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. |
+| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. |
+| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. |
+| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. |
+| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. |
+| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. |
+| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. |
+| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. |
+| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. |
+| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. |
+
+
## Change history for MDM documentation
-To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).
\ No newline at end of file
+To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 7516e3c411..280b16b2cf 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -18,10 +18,11 @@ The Office configuration service provider (CSP) enables a Microsoft Office clien
This CSP was added in Windows 10, version 1703.
-For additional information, see [Office DDF](office-ddf.md).
+For more information, see [Office DDF](office-ddf.md).
The following shows the Office configuration service provider in tree format.
-```
+
+```console
./Vendor/MSFT
Office
----Installation
@@ -46,6 +47,7 @@ Office
------------Install
------------Status
```
+
**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
The root node for the Office configuration service provider.
@@ -78,7 +80,7 @@ Behavior:
- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
- When status = 0: 70 (succeeded)
- - When status != 0: 60 (failed)
+ - When status!= 0: 60 (failed)
**Installation/CurrentStatus**
Returns an XML of current Office 365 installation status on the device.
@@ -151,140 +153,22 @@ To get the current status of Office 365 on the device.
## Status code
-
-
-
-
-
-
-
-
-
-
Status
-
Description
-
Comment
-
-
-
-
-
0
-
Installation succeeded
-
OK
-
-
-
997
-
Installation in progress
-
-
-
-
13
-
ERROR_INVALID_DATA
-
Cannot verify signature of the downloaded Office Deployment Tool (ODT)
-
Failure
-
-
-
1460
-
ERROR_TIMEOUT
-
Failed to download ODT
-
Failure
-
-
-
1602
-
ERROR_INSTALL_USEREXIT
-
User cancelled the installation
-
Failure
-
-
-
1603
-
ERROR_INSTALL_FAILURE
-
Failed any pre-req check.
-
-
SxS (Tried to install when 2016 MSI is installed)
-
Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)
-
-
-
Failure
-
-
-
17000
-
ERROR_PROCESSPOOL_INITIALIZATION
-
Failed to start C2RClient
-
Failure
-
-
-
17001
-
ERROR_QUEUE_SCENARIO
-
Failed to queue installation scenario in C2RClient
-
Failure
-
-
-
17002
-
ERROR_COMPLETING_SCENARIO
-
Failed to complete the process. Possible reasons:
-
-
Installation cancelled by user
-
Installation cancelled by another installation
-
Out of disk space during installation
-
Unknown language ID
-
-
Failure
-
-
-
17003
-
ERROR_ANOTHER_RUNNING_SCENARIO
-
Another scenario is running
-
Failure
-
-
-
17004
-
ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
-
Possible reasons:
-
-
Unknown SKUs
-
Content does't exist on CDN
-
such as trying to install an unsupported LAP, like zh-sg
-
CDN issue that content is not available
-
-
Signature check issue, such as failed the signature check for Office content
-
User cancelled
-
-
-
Failure
-
-
-
17005
-
ERROR_SCENARIO_CANCELLED_AS_PLANNED
-
Failure
-
-
-
17006
-
ERROR_SCENARIO_CANCELLED
-
Blocked update by running apps
-
Failure
-
-
-
17007
-
ERROR_REMOVE_INSTALLATION_NEEDED
-
The client is requesting client clean up in a "Remove Installation" scenario
-
Failure
-
-
-
17100
-
ERROR_HANDLING_COMMAND_LINE
-
C2RClient command line error
-
Failure
-
-
-
0x80004005
-
E_FAIL
-
ODT cannot be used to install Volume license
-
Failure
-
-
-
0x8000ffff
-
E_UNEXPECTED
-
Tried to uninstall when there is no C2R Office on the machine.
-
Failure
-
-
-
\ No newline at end of file
+|Status|Description|Comment|
+|--- |--- |--- |
+|0|Installation succeeded|OK|
+|997|Installation in progress||
+|13|ERROR_INVALID_DATA Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure|
+|1460|ERROR_TIMEOUT Failed to download ODT|Failure|
+|1602|ERROR_INSTALL_USEREXIT User canceled the installation|Failure|
+|1603|ERROR_INSTALL_FAILURE Failed any pre-req check.
SxS (Tried to install when 2016 MSI is installed)
Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
+|17000|ERROR_PROCESSPOOL_INITIALIZATION Failed to start C2RClient|Failure|
+|17001|ERROR_QUEUE_SCENARIO Failed to queue installation scenario in C2RClient|Failure|
+|17002|ERROR_COMPLETING_SCENARIO Failed to complete the process. Possible reasons:
Installation canceled by user
Installation canceled by another installation
Out of disk space during installation
Unknown language ID|Failure|
+|17003|ERROR_ANOTHER_RUNNING_SCENARIO Another scenario is running|Failure|
+|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP Possible reasons:
Unknown SKUs
Content does't exist on CDN
Such as trying to install an unsupported LAP, like zh-sg
CDN issue that content is not available
Signature check issue, such as failed the signature check for Office content
User canceled|Failure|
+|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure|
+|17006|ERROR_SCENARIO_CANCELLED Blocked update by running apps|Failure|
+|17007|ERROR_REMOVE_INSTALLATION_NEEDED The client is requesting client clean-up in a "Remove Installation" scenario|Failure|
+|17100|ERROR_HANDLING_COMMAND_LINE C2RClient command-line error|Failure|
+|0x80004005|E_FAIL ODT cannot be used to install Volume license|Failure|
+|0x8000ffff|E_UNEXPECTED Tried to uninstall when there is no C2R Office on the machine.|Failure|
diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md
index 5e8ad6957f..893ac1e192 100644
--- a/windows/client-management/mdm/oma-dm-protocol-support.md
+++ b/windows/client-management/mdm/oma-dm-protocol-support.md
@@ -17,131 +17,21 @@ ms.date: 06/26/2017
The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf).
-
-## In this topic
-
-- [OMA DM standards](#oma-dm-standards)
-
-- [OMA DM protocol common elements](#protocol-common-elements)
-
-- [Device management session](#device-management-session)
-
-- [User targeted vs. Device targeted configuration](#user-targeted-vs-device-targeted-configuration)
-
-- [SyncML response codes](#syncml-response-codes)
-
-
## OMA DM standards
The following table shows the OMA DM standards that Windows uses.
-
-
-
-
-
-
-
-
General area
-
OMA DM standard that is supported
-
-
-
-
-
Data transport and session
-
-
Client-initiated remote HTTPS DM session over SSL.
-
Remote HTTPS DM session over SSL.
-
Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
-
Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.
-
-
-
-
Bootstrap XML
-
-
OMA Client Provisioning XML.
-
-
-
-
DM protocol commands
-
The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
-
-
Add (Implicit Add supported)
-
Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
-
Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
-
Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
-
Exec: Invokes an executable on the client device
-
Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
-
Replace: Overwrites data on the client device
-
Result: Returns the data results of a Get command to the DM server
-
Sequence: Specifies the order in which a group of commands must be processed
-
Status: Indicates the completion status (success or failure) of an operation
-
-
If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
-
-
SyncBody
-
Atomic
-
Sequence
-
-
If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
-
If Atomic elements are nested, the following status codes are returned:
-
-
The nested Atomic command returns 500.
-
The parent Atomic command returns 507.
-
-
For more information about the Atomic command, see OMA DM protocol common elements.
-
Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
-
LocURI cannot start with "/".
-
Meta XML tag in SyncHdr is ignored by the device.
-
-
-
OMA DM standard objects
-
-
DevInfo
-
DevDetail
-
OMA DM DMS account objects (OMA DM version 1.2)
-
-
-
-
Security
-
-
Authenticate DM server initiation notification SMS message (not used by enterprise management)
-
Application layer Basic and MD5 client authentication
-
Authenticate server with MD5 credential at application level
-
Data integrity and authentication with HMAC at application level
-
SSL level certificate based client/server authentication, encryption, and data integrity check
-
-
-
-
Nodes
-
In the OMA DM tree, the following rules apply for the node name:
-
-
"." can be part of the node name.
-
The node name cannot be empty.
-
The node name cannot be only the asterisk (*) character.
If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
-
-Note
To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
-
-
-
-
-
-
-
WBXML support
-
Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.
-
-
-
Handling of large objects
-
In Windows 10, version 1511, client support for uploading large objects to the server was added.
-
-
-
+|General area|OMA DM standard that is supported|
+|--- |--- |
+|Data transport and session|
Client-initiated remote HTTPS DM session over SSL.
Remote HTTPS DM session over SSL.
Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
+|Bootstrap XML|OMA Client Provisioning XML.|
+|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
Add (Implicit Add supported)
Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
Exec: Invokes an executable on the client device
Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
Replace: Overwrites data on the client device
Result: Returns the data results of a Get command to the DM server
Sequence: Specifies the order in which a group of commands must be processed
Status: Indicates the completion status (success or failure) of an operation
If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
SyncBody
Atomic
Sequence
If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
If Atomic elements are nested, the following status codes are returned:
The nested Atomic command returns 500.
The parent Atomic command returns 507.
For more information about the Atomic command, see OMA DM protocol common elements. Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
LocURI cannot start with `/`.
Meta XML tag in SyncHdr is ignored by the device.|
+|OMA DM standard objects|DevInfo
DevDetail
OMA DM DMS account objects (OMA DM version 1.2)|
+|Security|
Authenticate DM server initiation notification SMS message (not used by enterprise management)
Application layer Basic and MD5 client authentication
Authenticate server with MD5 credential at application level
Data integrity and authentication with HMAC at application level
SSL level certificate-based client/server authentication, encryption, and data integrity check|
+|Nodes|In the OMA DM tree, the following rules apply for the node name:
"." can be part of the node name.
The node name cannot be empty.
The node name cannot be only the asterisk (*) character.|
+|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
**Note** To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
|
+|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
+|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
@@ -149,99 +39,26 @@ The following table shows the OMA DM standards that Windows uses.
Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
-
-
-
-
-
-
-
-
Element
-
Description
-
-
-
-
-
Chal
-
Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.
-
-
-
Cmd
-
Specifies the name of an OMA DM command referenced in a Status element.
-
-
-
CmdID
-
Specifies the unique identifier for an OMA DM command.
-
-
-
CmdRef
-
Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.
-
-
-
Cred
-
Specifies the authentication credential for the originator of the message.
-
-
-
Final
-
Indicates that the current message is the last message in the package.
-
-
-
LocName
-
Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.
-
-
-
LocURI
-
Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
-
-
-
MsgID
-
Specifies a unique identifier for an OMA DM session message.
-
-
-
MsgRef
-
Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.
-
-
-
RespURI
-
Specifies the URI that the recipient must use when sending a response to this message.
-
-
-
SessionID
-
Specifies the identifier of the OMA DM session associated with the containing message.
-
-Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
-
-
-
-
-
-
-
Source
-
Specifies the message source address.
-
-
-
SourceRef
-
Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.
-
-
-
Target
-
Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.
-
-
-
TargetRef
-
Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.
-
-
-
VerDTD
-
Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.
-
-
-
VerProto
-
Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.
-
-
-
-
+|Element|Description|
+|--- |--- |
+|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.|
+|Cmd|Specifies the name of an OMA DM command referenced in a Status element.|
+|CmdID|Specifies the unique identifier for an OMA DM command.|
+|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.|
+|Cred|Specifies the authentication credential for the originator of the message.|
+|Final|Indicates that the current message is the last message in the package.|
+|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.|
+|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.|
+|MsgID|Specifies a unique identifier for an OMA DM session message.|
+|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
+|RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
+|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
**Note** If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
|
+|Source|Specifies the message source address.|
+|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
+|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|
+|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.|
+|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.|
+|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.|
## Device management session
@@ -255,56 +72,25 @@ A DM session can be divided into two phases:
1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
-The following table shows the sequence of events during a typical DM session.
+The following information shows the sequence of events during a typical DM session.
-
-
-
-
-
-
-
-
-
Step
-
Action
-
Description
-
-
-
-
-
1
-
DM client is invoked to call back to the management server
-
Enterprise scenario – The device task schedule invokes the DM client.
-
The MO server sends a server trigger message to invoke the DM client.
-
The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
-
Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
-
-
-
2
-
The device sends a message, over an IP connection, to initiate the session.
-
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
-
-
-
3
-
The DM server responds, over an IP connection (HTTPS).
-
The server sends initial device management commands, if any.
-
-
-
4
-
The device responds to server management commands.
-
This message includes the results of performing the specified device management operations.
-
-
-
5
-
The DM server terminates the session or sends another command.
-
The DM session ends, or Step 4 is repeated.
-
-
-
+1. DM client is invoked to call back to the management server
Enterprise scenario – The device task schedule invokes the DM client.
+ The MO server sends a server trigger message to invoke the DM client.
+ The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
-The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
+2. The device sends a message, over an IP connection, to initiate the session.
+
+ This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
+
+3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any.
+
+4. The device responds to server management commands. This message includes the results of performing the specified device management operations.
+
+5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated.
+
+The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
@@ -319,24 +105,24 @@ For CSPs and policies that support per user configuration, the MDM server can se
The data part of this alert could be one of following strings:
-- user – the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
-- others – another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device.
-- none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login).
+- User – the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration
+- Others – another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
+- None – no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login).
Below is an alert example:
-```
+```xml
- 1
- 1224
-
-
- com.microsoft/MDM/LoginStatus
- chr
-
- user
-
-
+ 1
+ 1224
+
+
+ com.microsoft/MDM/LoginStatus
+ chr
+
+ user
+
+
```
The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration.
@@ -351,37 +137,27 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
-| Status code | Description |
-|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 200 | The SyncML command completed successfully. |
-| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. |
+| Status code | Description |
+|---|----|
+| 200 | The SyncML command completed successfully. |
+| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. |
| 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. |
-| 214 | Operation cancelled. The SyncML command completed successfully, but no more commands will be processed within the session. |
-| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. |
-| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. |
-| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. |
-| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. |
-| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. |
-| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. |
-| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. |
-| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. |
-| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. |
-| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. |
-| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. |
+| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. |
+| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. |
+| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. |
+| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. |
+| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. |
+| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. |
+| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. |
+| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. |
+| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. |
+| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. |
+| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. |
+| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. |
| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. |
-| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. |
-| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. |
-
-
+| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. |
+| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. |
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 84ff8f5e34..028da43967 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -21,15 +21,68 @@ The PassportForWork configuration service provider is used to provision Windows
### User configuration diagram
-The following diagram shows the PassportForWork configuration service provider in tree format.
+The following shows the PassportForWork configuration service provider in tree format.
-
+```console
+./User/Vendor/MSFT
+PassportForWork
+-------TenantId
+----------Policies
+-------------UsePassportForWork
+-------------RequireSecurityDevice
+-------------EnablePinRecovery
+-------------PINComplexity
+----------------MinimumPINLength
+----------------MaximumPINLength
+----------------UppercaseLetters
+----------------LowercaseLetters
+----------------SpecialCharecters
+----------------Digits
+----------------History
+----------------Expiration
+```
### Device configuration diagram
-The following diagram shows the PassportForWork configuration service provider in tree format.
+The following shows the PassportForWork configuration service provider in tree format.
-
+```console
+./Device/Vendor/MSFT
+PassportForWork
+-------TenantId
+----------Policies
+-------------UsePassportForWork
+-------------RequireSecurityDevice
+-------------ExcludeSecurityDevices
+----------------TPM12
+-------------EnablePinRecovery
+-------------UserCertificateForOnPremAuth
+-------------PINComplexity
+----------------MinimumPINLength
+----------------MaximumPINLength
+----------------UppercaseLetters
+----------------LowercaseLetters
+----------------SpecialCharacters
+----------------Digits
+----------------History
+----------------Expiration
+-------------Remote
+----------------UseRemotePassport
+-------------UseHelloCertificatesAsSmartCardCertificates
+-------UseBiometrics
+-------Biometrics
+----------UseBiometrics
+----------FacialFeatureUse
+-------DeviceUnlock
+----------GroupA
+----------GroupB
+----------Plugins
+-------DynamicLock
+----------DynamicLock
+----------Plugins
+-------SecurityKey
+----------UseSecurityKeyForSignin
+```
**PassportForWork**
Root node for PassportForWork configuration service provider.
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index 2dbb97d08c..6256ffe15a 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -33,6 +33,10 @@ ms.date: 10/08/2020
- [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices)
- [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo)
- [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage)
+- [ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_dontallowpwdexpirationbehindpolicy)
+- [ADMX_AdmPwd/POL_AdmPwd_Enabled](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_enabled)
+- [ADMX_AdmPwd/POL_AdmPwd_AdminName](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_adminname)
+- [ADMX_AdmPwd/POL_AdmPwd](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd)
- [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach)
- [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage)
- [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry)
@@ -167,6 +171,15 @@ ms.date: 10/08/2020
- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
+- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy)
+- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy)
+- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy)
+- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia)
+- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable)
+- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce)
+- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit)
+- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold)
+- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit)
- [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode)
- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname)
@@ -404,6 +417,9 @@ ms.date: 10/08/2020
- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1)
- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2)
- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall)
+- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins)
+- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname)
+- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret)
- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor)
- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch)
- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness)
@@ -428,6 +444,7 @@ ms.date: 10/08/2020
- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy)
- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio)
- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr)
+- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1)
- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin)
- [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon)
- [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1)
@@ -645,6 +662,10 @@ ms.date: 10/08/2020
- [ADMX_MMCSnapins/MMC_WiredNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy)
- [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon)
- [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy)
+- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_1)
+- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_2)
+- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_1)
+- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_2)
- [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth)
- [ADMX_msched/ActivationBoundaryPolicy](./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy)
- [ADMX_msched/RandomDelayPolicy](./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy)
@@ -675,6 +696,7 @@ ms.date: 10/08/2020
- [ADMX_MSI/SafeForScripting](./policy-csp-admx-msi.md#admx-msi-safeforscripting)
- [ADMX_MSI/SearchOrder](./policy-csp-admx-msi.md#admx-msi-searchorder)
- [ADMX_MSI/TransformsSecure](./policy-csp-admx-msi.md#admx-msi-transformssecure)
+- [ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-msifilerecovery.md#admx-msifilerecovery-wdiscenarioexecutionpolicy)
- [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources)
- [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands)
- [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes)
@@ -798,6 +820,13 @@ ms.date: 10/08/2020
- [ADMX_OfflineFiles/Pol_SyncOnCostedNetwork](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-synconcostednetwork)
- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-1)
- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-2)
+- [ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomcomponentfailurespolicy)
+- [ADMX_pca/DetectDeprecatedComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomponentfailurespolicy)
+- [ADMX_pca/DetectInstallFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectinstallfailurespolicy)
+- [ADMX_pca/DetectUndetectedInstallersPolicy](./policy-csp-admx-pca.md#admx-pca-detectundetectedinstallerspolicy)
+- [ADMX_pca/DetectUpdateFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectupdatefailurespolicy)
+- [ADMX_pca/DisablePcaUIPolicy](./policy-csp-admx-pca.md#admx-pca-disablepcauipolicy)
+- [ADMX_pca/DetectBlockedDriversPolicy](./policy-csp-admx-pca.md#admx-pca-detectblockeddriverspolicy)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-distributed)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hosted)
@@ -807,6 +836,8 @@ ms.date: 10/08/2020
- [ADMX_PeerToPeerCaching/SetCachePercent](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setcachepercent)
- [ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdatacacheentrymaxage)
- [ADMX_PeerToPeerCaching/SetDowngrading](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdowngrading)
+- [ADMX_PenTraining/PenTrainingOff_1](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_1)
+- [ADMX_PenTraining/PenTrainingOff_2](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_2)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-1)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3)
@@ -840,6 +871,14 @@ ms.date: 10/08/2020
- [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts)
- [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting)
- [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath)
+- [ADMX_PreviousVersions/DisableLocalPage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_1)
+- [ADMX_PreviousVersions/DisableLocalPage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_2)
+- [ADMX_PreviousVersions/DisableRemotePage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_1)
+- [ADMX_PreviousVersions/DisableRemotePage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_2)
+- [ADMX_PreviousVersions/HideBackupEntries_1](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_1)
+- [ADMX_PreviousVersions/HideBackupEntries_2](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_2)
+- [ADMX_PreviousVersions/DisableLocalRestore_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_1)
+- [ADMX_PreviousVersions/DisableLocalRestore_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_2)
- [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting)
- [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation)
- [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl)
@@ -940,12 +979,17 @@ ms.date: 10/08/2020
- [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected)
- [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy)
- [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy)
+- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy)
- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1)
- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2)
- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1)
- [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1)
- [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2)
+- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page)
+- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate)
+- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks)
+- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager)
- [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync)
- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync)
@@ -959,11 +1003,10 @@ ms.date: 10/08/2020
- [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots)
- [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders)
- [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing)
-- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
-- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit)
- [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps)
-- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
-- [ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn](./policy-csp-admx-skydrive.md#admx-skydrive-preventnetworktrafficpreusersignin)
+- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit)
+- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
+- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-restrictapps)
- [ADMX_Smartcard/AllowCertificatesWithNoEKU](./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku)
- [ADMX_Smartcard/AllowIntegratedUnblock](./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock)
- [ADMX_Smartcard/AllowSignatureOnlyKeys](./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys)
@@ -1051,6 +1094,8 @@ ms.date: 10/08/2020
- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff)
- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled)
- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig)
+- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1)
+- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1)
- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter)
- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications)
- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth)
@@ -1086,9 +1131,15 @@ ms.date: 10/08/2020
- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name)
- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state)
- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state)
+- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable)
+- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method)
- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails)
- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders)
- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders)
+- [ADMX_TouchInput/TouchInputOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_1)
+- [ADMX_TouchInput/TouchInputOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_2)
+- [ADMX_TouchInput/PanningEverywhereOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_1)
+- [ADMX_TouchInput/PanningEverywhereOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_2)
- [ADMX_TPM/BlockedCommandsList_Name](./policy-csp-admx-tpm.md#admx-tpm-blockedcommandslist-name)
- [ADMX_TPM/ClearTPMIfNotReady_Name](./policy-csp-admx-tpm.md#admx-tpm-cleartpmifnotready-name)
- [ADMX_TPM/IgnoreDefaultList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignoredefaultlist-name)
@@ -1240,9 +1291,10 @@ ms.date: 10/08/2020
- [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement)
- [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect)
- [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections)
+- [ADMX_WDI/WdiDpsScenarioExecutionPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenarioexecutionpolicy)
+- [ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenariodatasizelimitpolicy)
- [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1)
- [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2)
-- [ADMX_WindowsAnytimeUpgrade/Disabled](./policy-csp-admx-windowsanytimeupgrade.md#admx-windowsanytimeupgrade-disabled)
- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1)
- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2)
- [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar)
@@ -1317,10 +1369,6 @@ ms.date: 10/08/2020
- [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption)
- [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary)
- [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch)
-- [ADMX_WindowsFileProtection/WFPShowProgress](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpshowprogress)
-- [ADMX_WindowsFileProtection/WFPQuota](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpquota)
-- [ADMX_WindowsFileProtection/WFPScan](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpscan)
-- [ADMX_WindowsFileProtection/WFPDllCacheDir](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpdllcachedir)
- [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline)
- [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings)
- [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings)
@@ -1363,6 +1411,10 @@ ms.date: 10/08/2020
- [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost)
- [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced)
- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred)
+- [ADMX_WordWheel/CustomSearch](./policy-csp-admx-wordwheel.md#admx-wordwheel-customsearch)
+- [ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenabletokenbroker)
+- [ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenableworkfolders)
+- [ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_machineenableworkfolders)
- [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours)
- [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification)
- [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 507b737aa0..b312ee27f9 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 10/08/2020
+ms.date: 10/11/2021
---
# Policies in Policy CSP supported by HoloLens 2
@@ -51,6 +51,7 @@ ms.date: 10/08/2020
- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9
+- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 10
- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9
@@ -101,7 +102,13 @@ ms.date: 10/08/2020
- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
+- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) 10
+- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) 10
- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
+- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) 10
+- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) 10
+- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) 10
+- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) 10
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
@@ -109,7 +116,10 @@ ms.date: 10/08/2020
- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
+- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) 10
+- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) 10
- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess)
+- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) 10
- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8
@@ -125,6 +135,7 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
+- 10 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
## Related topics
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 13c000e4f5..57cbee7b16 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -29,7 +29,6 @@ ms.date: 07/22/2020
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
-- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 49be680162..bbd3101f94 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -42,9 +42,25 @@ The Policy configuration service provider has the following sub-categories:
> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
-The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
+The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
-
+```console
+./Vendor/MSFT
+Policy
+-------Config
+----------AreaName
+-------------PolicyName
+-------Result
+----------AreaName
+-------------PolicyName
+-------ConfigOperations
+----------ADMXInstall
+-------------AppName
+----------------Policy
+------------------UniqueID
+----------------Preference
+------------------UniqueID
+```
**./Vendor/MSFT/Policy**
@@ -213,6 +229,23 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_AdmPwd policies
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -83,7 +64,7 @@ Added in Windows 10, version 1607. Specifies whether or not the user can intera
ADMX Info:
-- GP English name: *Allow Cortana above lock screen*
+- GP Friendly name: *Allow Cortana above lock screen*
- GP name: *AllowCortanaAboveLock*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@@ -104,32 +85,13 @@ The following list shows the supported values:
**AboveLock/AllowToasts**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes, starting in Windows 10, version 1607|Yes|
+|Enterprise|Yes, starting in Windows 10, version 1607|Yes|
+|Education|Yes, starting in Windows 10, version 1607|Yes|
@@ -159,16 +121,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 644ff6136e..795f89e92c 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -40,40 +40,15 @@ manager: dansimp
**Accounts/AllowAddingNonMicrosoftAccountsManually**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
Mobile
-
-
-
-
Mobile Enterprise
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|Yes|Yes|
+|Mobile Enterprise|Yes|Yes|
@@ -111,40 +86,16 @@ The following list shows the supported values:
**Accounts/AllowMicrosoftAccountConnection**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
Mobile
-
-
-
-
Mobile Enterprise
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|Yes|Yes|
+|Mobile Enterprise|Yes|Yes|
@@ -179,40 +130,16 @@ The following list shows the supported values:
**Accounts/AllowMicrosoftAccountSignInAssistant**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
2
-
-
-
Business
-
2
-
-
-
Enterprise
-
2
-
-
-
Education
-
2
-
-
-
Mobile
-
2
-
-
-
Mobile Enterprise
-
2
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|Yes|Yes|
+|Mobile Enterprise|Yes|Yes|
@@ -246,15 +173,6 @@ The following list shows the supported values:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 0ed2ddc357..60248d3ecc 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - ActiveXControls
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,32 +40,13 @@ manager: dansimp
**ActiveXControls/ApprovedInstallationSites**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -83,12 +70,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt
Note: Wild card characters cannot be used when specifying the host URLs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -101,16 +82,6 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
index 67982daf0e..0b63ffc56d 100644
--- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
+++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
@@ -13,8 +13,14 @@ manager: dansimp
---
# Policy CSP - ADMX_ActiveXInstallService
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -34,32 +40,14 @@ manager: dansimp
**ADMX_ActiveXInstallService/AxISURLZonePolicies**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
@@ -74,7 +62,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone.
+This policy setting controls the installation of ActiveX controls for sites in Trusted zone.
If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting.
@@ -86,12 +74,6 @@ If the trusted site uses the HTTPS protocol, this policy setting can also contro
> This policy setting applies to all sites in Trusted zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -104,8 +86,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index 0c7c4b543b..de3506d5e5 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -14,8 +14,13 @@ manager: dansimp
# Policy CSP - ADMX_AddRemovePrograms
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -65,32 +70,10 @@ manager: dansimp
**ADMX_AddRemovePrograms/DefaultCategory**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
@@ -106,7 +89,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories.
+The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories.
To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.
@@ -116,12 +99,6 @@ If you disable this setting or do not configure it, all programs (Category: All)
> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -148,32 +125,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoAddFromCDorFloppy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|||
+|Enterprise|Yes|Yes|
+|Education|||
@@ -189,7 +148,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
+This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components.
@@ -197,12 +156,6 @@ If you disable this setting or do not configure it, the "Add a program from CD-R
> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -229,32 +182,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoAddFromInternet**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -270,7 +205,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
+This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update.
@@ -278,12 +213,7 @@ If you disable this setting or do not configure it, "Add programs from Microsoft
> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -310,32 +240,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoAddFromNetwork**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -351,7 +263,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.
+This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.
If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu.
@@ -361,12 +273,7 @@ If you disable this setting or do not configure it, "Add programs from your netw
> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -392,32 +299,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoAddPage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -433,17 +322,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
+This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -470,32 +354,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoAddRemovePrograms**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -511,21 +377,16 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
+This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP English name: *Remove Add or Remove Programs*
+- GP Friendly name: *Remove Add or Remove Programs*
- GP name: *NoAddRemovePrograms*
- GP path: *Control Panel/Add or Remove Programs*
- GP ADMX file name: *addremoveprograms.admx*
@@ -548,32 +409,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoChooseProgramsPage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -589,22 +432,17 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
+This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP English name: *Hide the Set Program Access and Defaults page*
+- GP Friendly name: *Hide the Set Program Access and Defaults page*
- GP name: *NoChooseProgramsPage*
- GP path: *Control Panel/Add or Remove Programs*
- GP ADMX file name: *addremoveprograms.admx*
@@ -627,32 +465,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoRemovePage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -668,21 +488,16 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
+This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP English name: *Hide Change or Remove Programs page*
+- GP Friendly name: *Hide Change or Remove Programs page*
- GP name: *NoRemovePage*
- GP path: *Control Panel/Add or Remove Programs*
- GP ADMX file name: *addremoveprograms.admx*
@@ -705,32 +520,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoServices**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -746,7 +543,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
+This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services.
@@ -754,16 +551,11 @@ If you disable this setting or do not configure it, "Set up services" appears on
> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP English name: *Go directly to Components Wizard*
+- GP Friendly name: *Go directly to Components Wizard*
- GP name: *NoServices*
- GP path: *Control Panel/Add or Remove Programs*
- GP ADMX file name: *addremoveprograms.admx*
@@ -786,32 +578,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoSupportInfo**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -827,7 +601,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
+This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
If you disable this setting or do not configure it, the Support Info hyperlink appears.
@@ -835,16 +609,10 @@ If you disable this setting or do not configure it, the Support Info hyperlink a
> Not all programs provide a support information hyperlink.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
-- GP English name: *Remove Support Information*
+- GP Friendly name: *Remove Support Information*
- GP name: *NoSupportInfo*
- GP path: *Control Panel/Add or Remove Programs*
- GP ADMX file name: *addremoveprograms.admx*
@@ -867,32 +635,14 @@ ADMX Info:
**ADMX_AddRemovePrograms/NoWindowsSetupPage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -908,21 +658,16 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
+This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP English name: *Hide Add/Remove Windows Components page*
+- GP Friendly name: *Hide Add/Remove Windows Components page*
- GP name: *NoWindowsSetupPage*
- GP path: *Control Panel/Add or Remove Programs*
- GP ADMX file name: *addremoveprograms.admx*
@@ -939,8 +684,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md
new file mode 100644
index 0000000000..dbb231d5c5
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md
@@ -0,0 +1,227 @@
+---
+title: Policy CSP - ADMX_AdmPwd
+description: Policy CSP - ADMX_AdmPwd
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/09/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AdmPwd
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+## ADMX_AdmPwd policies
+
+
+
+
+
+
+
+**ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.
+
+When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy.
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow password expiration time longer than required by policy*
+- GP name: *POL_AdmPwd_DontAllowPwdExpirationBehindPolicy*
+- GP path: *Windows Components\AdmPwd*
+- GP ADMX file name: *AdmPwd.admx*
+
+
+
+
+
+
+**ADMX_AdmPwd/POL_AdmPwd_Enabled**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy enables the management of password for local administrator account
+
+If you enable this setting, local administrator password is managed.
+
+If you disable or not configure this setting, local administrator password is NOT managed.
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable local admin password management*
+- GP name: *POL_AdmPwd_Enabled*
+- GP path: *Windows Components\AdmPwd*
+- GP ADMX file name: *AdmPwd.admx*
+
+
+
+
+
+
+
+**ADMX_AdmPwd/POL_AdmPwd_AdminName**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.
+
+When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Name of administrator account to manage*
+- GP name: *POL_AdmPwd_AdminName*
+- GP path: *Windows Components\AdmPwd*
+- GP ADMX file name: *AdmPwd.admx*
+
+
+
+
+
+
+
+
+**ADMX_AdmPwd/POL_AdmPwd**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting enables management of password for local administrator account
+
+If you enable this setting, local administrator password is managed
+
+If you disable or not configure this setting, local administrator password is NOT managed.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Password Settings*
+- GP name: *POL_AdmPwd*
+- GP path: *Windows Components\AdmPwd*
+- GP ADMX file name: *AdmPwd.admx*
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index e145a37e11..c25bbf261a 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -14,8 +14,12 @@ manager: dansimp
# Policy CSP - ADMX_AppCompat
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -68,32 +72,14 @@ manager: dansimp
**ADMX_AppCompat/AppCompatPrevent16BitMach**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -108,7 +94,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.
+This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.
You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.
@@ -122,12 +108,6 @@ If the status is set to Not Configured, the OS falls back on a local policy set
> This setting appears only in Computer Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -145,32 +125,14 @@ ADMX Info:
**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -185,7 +147,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file.
+This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file.
The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications.
@@ -193,12 +155,6 @@ Enabling this policy setting removes the property page from the context-menus, b
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -216,32 +172,14 @@ ADMX Info:
**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -256,7 +194,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Application Telemetry engine in the system.
+The policy setting controls the state of the Application Telemetry engine in the system.
Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications.
@@ -268,12 +206,6 @@ Disabling telemetry will take effect on any newly launched applications. To ensu
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -291,32 +223,14 @@ ADMX Info:
**ADMX_AppCompat/AppCompatTurnOffSwitchBack**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -331,7 +245,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Switchback compatibility engine in the system.
+The policy setting controls the state of the Switchback compatibility engine in the system.
Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications.
@@ -344,12 +258,6 @@ If you disable or do not configure this policy setting, the Switchback will be t
Reboot the system after changing the setting to ensure that your system accurately reflects those changes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -367,32 +275,13 @@ ADMX Info:
**ADMX_AppCompat/AppCompatTurnOffEngine**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -407,7 +296,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the application compatibility engine in the system.
+This policy setting controls the state of the application compatibility engine in the system.
The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem.
@@ -422,12 +311,6 @@ This option is useful to server administrators who require faster performance an
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -445,32 +328,14 @@ ADMX Info:
**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -485,16 +350,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -512,32 +371,14 @@ ADMX Info:
**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -552,7 +393,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
+This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues.
@@ -563,12 +404,6 @@ If you disable or do not configure this policy setting, the PCA will be turned o
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -586,32 +421,14 @@ ADMX Info:
**ADMX_AppCompat/AppCompatTurnOffUserActionRecord**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -626,7 +443,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of Steps Recorder.
+This policy setting controls the state of Steps Recorder.
Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection.
@@ -636,12 +453,6 @@ If you disable or do not configure this policy setting, Steps Recorder will be e
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -659,32 +470,14 @@ ADMX Info:
**ADMX_AppCompat/AppCompatTurnOffProgramInventory**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -699,7 +492,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Inventory Collector.
+This policy setting controls the state of the Inventory Collector.
The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems.
@@ -712,12 +505,6 @@ If you disable or do not configure this policy setting, the Inventory Collector
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -729,8 +516,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
index f3aef0211f..b3a9d9197f 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_AppxPackageManager
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+ > [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,32 +39,14 @@ manager: dansimp
**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -74,7 +61,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile.
+This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile.
Special profiles are the following user profiles, where changes are discarded after the user signs off:
@@ -88,12 +75,7 @@ If you enable this policy setting, Group Policy allows deployment operations (ad
If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -106,7 +88,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
index c30dafd023..7440cfbb70 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_AppXRuntime
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -43,32 +48,14 @@ manager: dansimp
**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -83,19 +70,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
+This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -112,32 +94,14 @@ ADMX Info:
**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -153,19 +117,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
+This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -182,32 +140,14 @@ ADMX Info:
**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -222,7 +162,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.
+This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.
If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected.
@@ -232,12 +172,6 @@ If you disable or do not configure this policy setting, all Universal Windows ap
> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -254,32 +188,14 @@ ADMX Info:
**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -295,7 +211,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
+This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
@@ -305,12 +221,6 @@ If you disable or do not configure this policy setting, Windows Store apps can o
> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -323,8 +233,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
index 7a82136079..60757b10f3 100644
--- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_AttachmentManager
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -46,32 +51,14 @@ manager: dansimp
**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -86,7 +73,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.
+This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.
Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files.
@@ -99,12 +86,6 @@ If you disable this policy setting, Windows uses its default trust logic, which
If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -121,32 +102,14 @@ ADMX Info:
**ADMX_AttachmentManager/AM_SetFileRiskLevel**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes
@@ -161,7 +124,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments.
+This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments.
High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.
@@ -176,12 +139,6 @@ If you disable this policy setting, Windows sets the default risk level to moder
If you do not configure this policy setting, Windows sets the default risk level to moderate.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -198,32 +155,14 @@ ADMX Info:
**ADMX_AttachmentManager/AM_SetHighRiskInclusion**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -238,7 +177,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).
+This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can create a custom list of high-risk file types.
@@ -247,12 +186,6 @@ If you disable this policy setting, Windows uses its built-in list of file types
If you do not configure this policy setting, Windows uses its built-in list of high-risk file types.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -269,32 +202,14 @@ ADMX Info:
**ADMX_AttachmentManager/AM_SetLowRiskInclusion**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -309,7 +224,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).
+This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can specify file types that pose a low risk.
@@ -318,12 +233,6 @@ If you disable this policy setting, Windows uses its default trust logic.
If you do not configure this policy setting, Windows uses its default trust logic.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -340,32 +249,14 @@ ADMX Info:
**ADMX_AttachmentManager/AM_SetModRiskInclusion**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -380,7 +271,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list).
+This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can specify file types which pose a moderate risk.
@@ -389,12 +280,6 @@ If you disable this policy setting, Windows uses its default trust logic.
If you do not configure this policy setting, Windows uses its default trust logic.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -407,7 +292,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
index 56d9939332..4ade562c8f 100644
--- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -12,9 +12,14 @@ ms.reviewer:
manager: dansimp
---
-# Policy CSP - ADMX_AuditSettings
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+# Policy CSP - ADMX_AuditSettings.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,32 +39,14 @@ manager: dansimp
**ADMX_AuditSettings/IncludeCmdLine**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -74,7 +61,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
+This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
@@ -86,12 +73,6 @@ Default is Not configured.
> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -104,8 +85,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
index 9a5fd957e7..f14750b59c 100644
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_Bits
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -73,32 +78,14 @@ manager: dansimp
**ADMX_Bits/BITS_DisableBranchCache**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -113,7 +100,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default.
+This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default.
If you enable this policy setting, the BITS client does not use Windows Branch Cache.
@@ -121,14 +108,8 @@ If you disable or do not configure this policy setting, the BITS client uses Win
> [!NOTE]
> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely.
-
+
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -145,32 +126,14 @@ ADMX Info:
**ADMX_Bits/BITS_DisablePeercachingClient**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -185,7 +148,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
+This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers.
@@ -195,12 +158,7 @@ If you disable or do not configure this policy setting, the computer attempts to
> This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -217,32 +175,14 @@ ADMX Info:
**ADMX_Bits/BITS_DisablePeercachingServer**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -257,7 +197,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
+This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers.
@@ -267,12 +207,7 @@ If you disable or do not configure this policy setting, the computer will offer
> This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -290,32 +225,14 @@ ADMX Info:
**ADMX_Bits/BITS_EnablePeercaching**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -330,7 +247,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner.
+This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner.
If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server.
@@ -339,12 +256,7 @@ If you enable this policy setting, BITS downloads files from peers, caches the f
If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -362,32 +274,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxBandwidthServedForPeers**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -402,7 +296,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server).
+This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server).
To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps.
@@ -416,12 +310,6 @@ If you disable this policy setting or do not configure it, the default value of
> This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -438,32 +326,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxBandwidthV2_Maintenance**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -478,7 +348,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers.
+This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers.
If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
@@ -490,12 +360,6 @@ If you disable or do not configure this policy setting, the limits defined for w
> The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -513,32 +377,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxBandwidthV2_Work**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -553,7 +399,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours.
+This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours.
If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
@@ -562,12 +408,6 @@ You can specify a limit to use for background jobs during a work schedule. For e
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -585,32 +425,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxCacheSize**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -625,7 +447,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache.
+This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache.
If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent.
@@ -635,12 +457,6 @@ If you disable or do not configure this policy setting, the default size of the
> This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -657,32 +473,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxContentAge**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -707,12 +505,6 @@ If you disable or do not configure this policy setting, files that have not been
> This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -729,32 +521,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxDownloadTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -769,7 +543,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job.
+This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job.
The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state.
@@ -780,12 +554,7 @@ If you enable this policy setting, you can set the maximum job download time to
If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -802,32 +571,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxFilesPerJob**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -842,7 +593,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain.
+This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain.
If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number.
@@ -852,12 +603,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul
> BITS Jobs created by services and the local administrator account do not count toward this limit.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -874,32 +620,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxJobsPerMachine**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -914,7 +642,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs.
+This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs.
If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number.
@@ -924,12 +652,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul
> BITS jobs created by services and the local administrator account do not count toward this limit.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -946,32 +669,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxJobsPerUser**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -986,7 +691,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create.
+This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create.
If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number.
@@ -996,12 +701,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul
> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1018,32 +718,14 @@ ADMX Info:
**ADMX_Bits/BITS_MaxRangesPerFile**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1058,7 +740,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file.
+This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file.
If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number.
@@ -1068,12 +750,7 @@ If you disable or do not configure this policy setting, BITS will limit ranges t
> BITS Jobs created by services and the local administrator account do not count toward this limit.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1086,8 +763,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
index 44e91fe2e9..1aafb0d27a 100644
--- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
+++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
@@ -14,8 +14,12 @@ manager: dansimp
# Policy CSP - ADMX_CipherSuiteOrder
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -38,32 +42,14 @@ manager: dansimp
**ADMX_CipherSuiteOrder/SSLCipherSuiteOrder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -78,7 +64,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
+This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
If you enable this policy setting, SSL cipher suites are prioritized in the order specified.
@@ -87,12 +73,7 @@ If you disable or do not configure this policy setting, default cipher suite ord
For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -111,32 +92,14 @@ ADMX Info:
**ADMX_CipherSuiteOrder/SSLCurveOrder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -151,7 +114,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
+This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line.
@@ -170,12 +133,6 @@ CertUtil.exe -DisplayEccCurve
```
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -188,7 +145,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md
index 13d4fabf45..6ddb16921c 100644
--- a/windows/client-management/mdm/policy-csp-admx-com.md
+++ b/windows/client-management/mdm/policy-csp-admx-com.md
@@ -14,8 +14,12 @@ manager: dansimp
# Policy CSP - ADMX_COM
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -38,32 +42,14 @@ manager: dansimp
**ADMX_COM/AppMgmt_COM_SearchForCLSID_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -78,7 +64,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
+This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.
@@ -89,12 +75,7 @@ If you disable or do not configure this policy setting, the program continues wi
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -113,32 +94,14 @@ ADMX Info:
**ADMX_COM/AppMgmt_COM_SearchForCLSID_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -153,7 +116,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
+This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.
@@ -164,12 +127,6 @@ If you disable or do not configure this policy setting, the program continues wi
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -182,7 +139,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
index 9dec30ad01..fd6ce7faed 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_ControlPanel
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -43,32 +48,14 @@ manager: dansimp
**ADMX_ControlPanel/DisallowCpls**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -83,7 +70,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
+This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
@@ -98,12 +85,7 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec
> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -120,32 +102,14 @@ ADMX Info:
**ADMX_ControlPanel/ForceClassicControlPanel**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -160,7 +124,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons.
+This policy setting controls the default Control Panel view, whether by category or icons.
If this policy setting is enabled, the Control Panel opens to the icon view.
@@ -172,12 +136,7 @@ If this policy setting is not configured, the Control Panel opens to the view us
> Icon size is dependent upon what the user has set it to in the previous session.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -194,32 +153,14 @@ ADMX Info:
**ADMX_ControlPanel/NoControlPanel**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -253,12 +194,7 @@ This setting removes PC settings from:
If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -275,32 +211,14 @@ ADMX Info:
**ADMX_ControlPanel/RestrictCpls**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -315,7 +233,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
+This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization.
@@ -330,12 +248,6 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec
> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -348,7 +260,4 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index f1f3907cbe..8005489dba 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_ControlPanelDisplay
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -103,32 +108,14 @@ manager: dansimp
**ADMX_ControlPanelDisplay/CPL_Display_Disable**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -143,19 +130,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel.
+Disables the Display Control Panel.
If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.
Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -172,32 +154,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Display_HideSettings**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -212,17 +176,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel.
+Removes the Settings tab from Display in Control Panel.
This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -239,32 +198,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -279,7 +220,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme.
+This setting forces the theme color scheme to be the default color scheme.
If you enable this setting, a user cannot change the color scheme of the current desktop theme.
@@ -288,12 +229,6 @@ If you disable or do not configure this setting, a user may change the color sch
For Windows 7 and later, use the "Prevent changing color and appearance" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -310,32 +245,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -350,7 +267,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel.
+This setting disables the theme gallery in the Personalization Control Panel.
If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off).
@@ -360,12 +277,6 @@ If you disable or do not configure this setting, there is no effect.
> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -382,32 +293,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -422,19 +315,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens.
+Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens.
When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties.
When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -451,32 +338,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -491,7 +360,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers.
+Enables desktop screen savers.
If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options.
@@ -502,12 +371,6 @@ If you enable it, a screen saver runs, provided the following two conditions hol
Also, see the "Prevent changing Screen Saver" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -524,32 +387,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -564,7 +409,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens.
+This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens.
This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image).
@@ -575,12 +420,7 @@ This can be used in conjunction with the "Prevent changing lock screen and logon
Note: This setting only applies to Enterprise, Education, and Server SKUs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -597,32 +437,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -637,19 +459,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens.
+Prevents users from changing the size of the font in the windows and buttons displayed on their screens.
If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled.
If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -666,32 +482,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -706,19 +504,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen.
+Prevents users from changing the background image shown when the machine is locked or when on the logon screen.
By default, users can change the background image shown when the machine is locked or displaying the logon screen.
If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -735,32 +527,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -775,7 +549,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent.
+Prevents users from changing the look of their start menu background, such as its color or accent.
By default, users can change the look of their start menu background, such as its color or accent.
@@ -786,12 +560,6 @@ If the "Force a specific background and accent color" policy is also set on a su
If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -808,32 +576,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -848,7 +598,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available.
+Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available.
This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows.
@@ -857,12 +607,6 @@ If this setting is disabled or not configured, the Color (or Window Color) page
For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -879,32 +623,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -919,7 +645,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop.
+Prevents users from adding or changing the background design of the desktop.
By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop.
@@ -932,12 +658,6 @@ Note: You must also enable the "Desktop Wallpaper" setting to prevent users from
Also, see the "Allow only bitmapped wallpaper" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -954,32 +674,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -994,7 +696,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons.
+Prevents users from changing the desktop icons.
By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons.
@@ -1003,12 +705,6 @@ If you enable this setting, none of the desktop icons can be changed by the user
For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1025,32 +721,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1072,12 +750,6 @@ If you enable this policy setting, users that are not required to press CTRL + A
If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1094,32 +766,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1141,12 +795,6 @@ By default, users can use the Pointers tab in the Mouse Control Panel to add, re
If you enable this setting, none of the mouse pointer scheme settings can be changed by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1163,32 +811,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1203,17 +833,11 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel.
+Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel.
This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1230,32 +854,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1270,19 +876,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme.
+Prevents users from changing the sound scheme.
By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme.
If you enable this setting, none of the Sound Scheme settings can be changed by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1299,32 +899,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1339,19 +921,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB.
+Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB.
By default, users can change the background and accent colors.
If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1368,32 +944,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1408,7 +966,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected.
+Determines whether screen savers used on the computer are password protected.
If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.
@@ -1422,12 +980,6 @@ To ensure that a computer will be password protected, enable the "Enable Screen
> To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1444,32 +996,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1484,7 +1018,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched.
+Specifies how much user idle time must elapse before the screen saver is launched.
When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.
@@ -1501,12 +1035,6 @@ This setting has no effect under any of the following circumstances:
When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1523,32 +1051,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1563,7 +1073,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop.
+Specifies the screen saver for the user's desktop.
If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver.
@@ -1577,12 +1087,6 @@ If the specified screen saver is not installed on a computer to which this setti
> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1599,32 +1103,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1646,12 +1132,6 @@ If you enable this setting, the theme that you specify will be applied when a ne
If you disable or do not configure this setting, the default theme will be applied at the first logon.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1668,32 +1148,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1708,7 +1170,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file.
+This setting allows you to force a specific visual style file by entering the path (location) of the visual style file.
This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles).
@@ -1724,12 +1186,6 @@ If you disable or do not configure this setting, the users can select the visual
> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1746,32 +1202,14 @@ ADMX Info:
**ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1786,19 +1224,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it.
+Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it.
If this setting is set to zero or not configured, then Start uses the default background, and users can change it.
If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1811,7 +1243,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md
index 6ad7cad008..4e1d864337 100644
--- a/windows/client-management/mdm/policy-csp-admx-cpls.md
+++ b/windows/client-management/mdm/policy-csp-admx-cpls.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_Cpls
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,32 +39,14 @@ manager: dansimp
**ADMX_Cpls/UseDefaultTile**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -74,7 +61,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.
+This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.
> [!NOTE]
> The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed.
@@ -84,12 +71,7 @@ If you enable this policy setting, the default user account picture will display
If you disable or do not configure this policy setting, users will be able to customize their account pictures.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -102,8 +84,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
index b7ed4ab54a..e7951df443 100644
--- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_CredentialProviders
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -40,32 +45,15 @@ manager: dansimp
**ADMX_CredentialProviders/AllowDomainDelayLock**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -80,7 +68,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off.
+This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off.
If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose.
@@ -91,12 +79,7 @@ If you don't configure this policy setting on a domain-joined device, a user can
If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -113,32 +96,14 @@ ADMX Info:
**ADMX_CredentialProviders/DefaultCredentialProvider**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -153,7 +118,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider.
+This policy setting allows the administrator to assign a specified credential provider as the default credential provider.
If you enable this policy setting, the specified credential provider is selected on other user tile.
@@ -163,12 +128,6 @@ If you disable or do not configure this policy setting, the system picks the def
> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -186,32 +145,14 @@ ADMX Info:
**ADMX_CredentialProviders/ExcludedCredentialProviders**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -226,7 +167,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication.
+This policy setting allows the administrator to exclude the specified credential providers from use during authentication.
> [!NOTE]
> Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication).
@@ -236,12 +177,6 @@ If you enable this policy, an administrator can specify the CLSIDs of the creden
If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -254,9 +189,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are for upcoming release.
-
-
-These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md
index 04bbf46ba4..cb4c42d7af 100644
--- a/windows/client-management/mdm/policy-csp-admx-credssp.md
+++ b/windows/client-management/mdm/policy-csp-admx-credssp.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_CredSsp
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -64,32 +69,14 @@ manager: dansimp
**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -104,7 +91,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
This policy setting applies when server authentication was achieved via NTLM.
@@ -122,12 +109,7 @@ If you disable or do not configure (by default) this policy setting, delegation
> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -144,32 +126,14 @@ ADMX Info:
**ADMX_CredSsp/AllowDefaultCredentials**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -184,7 +148,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.
@@ -207,12 +171,6 @@ https://go.microsoft.com/fwlink/?LinkId=301508
> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -229,32 +187,14 @@ ADMX Info:
**ADMX_CredSsp/AllowEncryptionOracle**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -269,7 +209,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection).
Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability.
@@ -287,12 +227,6 @@ If you enable this policy setting, CredSSP version support will be selected base
For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -309,32 +243,14 @@ ADMX Info:
**ADMX_CredSsp/AllowFreshCredentials**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -349,7 +265,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
@@ -369,12 +285,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi
> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -391,32 +301,14 @@ ADMX Info:
**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -431,7 +323,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
This policy setting applies when server authentication was achieved via NTLM.
@@ -451,12 +343,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi
> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -473,32 +359,14 @@ ADMX Info:
**ADMX_CredSsp/AllowSavedCredentials**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -513,7 +381,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
@@ -533,12 +401,6 @@ If you disable this policy setting, delegation of saved credentials is not permi
> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -555,32 +417,14 @@ ADMX Info:
**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -595,7 +439,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
This policy setting applies when server authentication was achieved via NTLM.
@@ -615,12 +459,6 @@ If you disable this policy setting, delegation of saved credentials is not permi
> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -637,32 +475,14 @@ ADMX Info:
**ADMX_CredSsp/DenyDefaultCredentials**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -677,7 +497,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows).
@@ -695,12 +515,6 @@ If you disable or do not configure (by default) this policy setting, this policy
This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -717,32 +531,14 @@ ADMX Info:
**ADMX_CredSsp/DenyFreshCredentials**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -757,7 +553,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).
@@ -775,12 +571,6 @@ If you disable or do not configure (by default) this policy setting, this policy
This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -797,32 +587,14 @@ ADMX Info:
**ADMX_CredSsp/DenySavedCredentials**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -837,7 +609,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
@@ -855,12 +627,6 @@ If you disable or do not configure (by default) this policy setting, this policy
This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -877,32 +643,14 @@ ADMX Info:
**ADMX_CredSsp/RestrictedRemoteAdministration**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -917,7 +665,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device.
+When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device.
Participating apps:
Remote Desktop Client
@@ -936,12 +684,6 @@ If you disable or do not configure this policy setting, Restricted Admin and Rem
> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -954,8 +696,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md
index acb7942b92..31ef959ed4 100644
--- a/windows/client-management/mdm/policy-csp-admx-credui.md
+++ b/windows/client-management/mdm/policy-csp-admx-credui.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_CredUI
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -37,32 +42,14 @@ manager: dansimp
**ADMX_CredUI/EnableSecureCredentialPrompting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -77,7 +64,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials.
+This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials.
> [!NOTE]
> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.
@@ -87,12 +74,6 @@ If you enable this policy setting, users will be required to enter Windows crede
If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -109,32 +90,14 @@ ADMX Info:
**ADMX_CredUI/NoLocalPasswordResetQuestions**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -152,12 +115,7 @@ ADMX Info:
Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -168,10 +126,6 @@ ADMX Info:
-
-
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
+<
diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
index b42e1e9ad0..ba59b9dd2d 100644
--- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
+++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_CtrlAltDel
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -43,32 +48,14 @@ manager: dansimp
**ADMX_CtrlAltDel/DisableChangePassword**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -83,19 +70,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their Windows password on demand.
+This policy setting prevents users from changing their Windows password on demand.
If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.
However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -113,32 +95,14 @@ ADMX Info:
**ADMX_CtrlAltDel/DisableLockComputer**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -153,7 +117,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from locking the system.
+This policy setting prevents users from locking the system.
While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it.
@@ -165,12 +129,6 @@ If you disable or do not configure this policy setting, users will be able to lo
> To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -186,32 +144,14 @@ ADMX Info:
**ADMX_CtrlAltDel/DisableTaskMgr**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -226,7 +166,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from starting Task Manager.
+This policy setting prevents users from starting Task Manager.
Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
@@ -235,12 +175,6 @@ If you enable this policy setting, users will not be able to access Task Manager
If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -257,32 +191,14 @@ ADMX Info:
**ADMX_CtrlAltDel/NoLogoff**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -297,7 +213,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting disables or removes all menu items and buttons that log the user off the system.
+This policy setting disables or removes all menu items and buttons that log the user off the system.
If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu.
@@ -306,12 +222,6 @@ Also, see the 'Remove Logoff on the Start Menu' policy setting.
If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -324,8 +234,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md
index c2de3fdc86..823a56b05b 100644
--- a/windows/client-management/mdm/policy-csp-admx-datacollection.md
+++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md
@@ -13,14 +13,19 @@ manager: dansimp
---
# Policy CSP - ADMX_DataCollection
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_DataCollection policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -74,19 +61,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization.
+This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization.
If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md
index a7729ee3a4..4efe29532e 100644
--- a/windows/client-management/mdm/policy-csp-admx-dcom.md
+++ b/windows/client-management/mdm/policy-csp-admx-dcom.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DCOM
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -37,37 +42,14 @@ manager: dansimp
**ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -93,12 +75,6 @@ If you do not configure this policy setting, DCOM will only look in the locally
> This policy setting applies to all sites in Trusted zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -115,37 +91,14 @@ ADMX Info:
**ADMX_DCOM/DCOMActivationSecurityCheckExemptionList**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -160,7 +113,7 @@ ADMX Info:
-This policy setting allows you to view and change a list of DCOM server application IDs (appids), which are exempted from the DCOM Activation security check.
+This policy setting allows you to view and change a list of DCOM server application IDs (app ids), which are exempted from the DCOM Activation security check.
DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators.
DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled.
DCOM server application IDs added to this policy must be listed in curly brace format.
@@ -169,15 +122,15 @@ For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`.
If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors.
- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings.
-If you add an application ID to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server.
-If you add an application ID to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local
+If you add an application ID to this list and set its value to one, DCOM will not enforce the Activation security check for that DCOM server.
+If you add an application ID to this list and set its value to zero DCOM will always enforce the Activation security check for that DCOM server regardless of local
settings.
- If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.
If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.
-The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid.
+The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid.
DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.
> [!NOTE]
@@ -187,12 +140,6 @@ DCOM servers added to this exemption list are only exempted if their custom laun
> This policy setting applies to all sites in Trusted zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -205,8 +152,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md
index 4baa5a5da4..77a47cb92e 100644
--- a/windows/client-management/mdm/policy-csp-admx-desktop.md
+++ b/windows/client-management/mdm/policy-csp-admx-desktop.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_Desktop
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -118,32 +123,14 @@ manager: dansimp
**ADMX_Desktop/AD_EnableFilter**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -158,7 +145,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.
+Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.
If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.
@@ -167,12 +154,7 @@ If you disable this setting or do not configure it, the filter bar does not appe
To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -189,32 +171,14 @@ ADMX Info:
**ADMX_Desktop/AD_HideDirectoryFolder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -229,7 +193,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations.
+Hides the Active Directory folder in Network Locations.
The Active Directory folder displays Active Directory objects in a browse window.
@@ -240,12 +204,7 @@ If you disable this setting or do not configure it, the Active Directory folder
This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -262,32 +221,14 @@ ADMX Info:
**ADMX_Desktop/AD_QueryLimit**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -302,7 +243,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory.
+Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory.
If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search.
@@ -311,12 +252,7 @@ If you disable this setting or do not configure it, the system displays up to 10
This setting is designed to protect the network and the domain controller from the effect of expansive searches.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -333,32 +269,14 @@ ADMX Info:
**ADMX_Desktop/ForceActiveDesktopOn**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -373,7 +291,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it.
+Enables Active Desktop and prevents users from disabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
@@ -383,12 +301,6 @@ If you disable this setting or do not configure it, Active Desktop is disabled b
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -405,32 +317,14 @@ ADMX Info:
**ADMX_Desktop/NoActiveDesktop**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -445,7 +339,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it.
+Disables Active Desktop and prevents users from enabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
@@ -455,12 +349,7 @@ If you disable this setting or do not configure it, Active Desktop is disabled b
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -477,32 +366,14 @@ ADMX Info:
**ADMX_Desktop/NoActiveDesktopChanges**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -517,17 +388,11 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.
+Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.
This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -544,32 +409,14 @@ ADMX Info:
**ADMX_Desktop/NoDesktop**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -584,19 +431,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations.
+Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations.
Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent.
Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -613,32 +455,14 @@ ADMX Info:
**ADMX_Desktop/NoDesktopCleanupWizard**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -653,7 +477,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard.
+Prevents users from using the Desktop Cleanup Wizard.
If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard.
@@ -663,12 +487,7 @@ If you disable this setting or do not configure it, the default behavior of the
> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -685,32 +504,14 @@ ADMX Info:
**ADMX_Desktop/NoInternetIcon**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -725,17 +526,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.
+Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.
This setting does not prevent the user from starting Internet Explorer by using other methods.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -752,32 +548,14 @@ ADMX Info:
**ADMX_Desktop/NoMyComputerIcon**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -792,7 +570,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment.
+This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment.
If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty.
@@ -804,12 +582,7 @@ If you do not configure this setting, the default is to display Computer as usua
> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -826,32 +599,14 @@ ADMX Info:
**ADMX_Desktop/NoMyDocumentsIcon**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -866,7 +621,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon.
+Removes most occurrences of the My Documents icon.
This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.
@@ -878,12 +633,6 @@ This setting does not remove the My Documents icon from the Start menu. To do so
> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -900,32 +649,14 @@ ADMX Info:
**ADMX_Desktop/NoNetHood**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -940,7 +671,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop.
+Removes the Network Locations icon from the desktop.
This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network.
@@ -948,12 +679,7 @@ This setting only affects the desktop icon. It does not prevent users from conne
> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -970,32 +696,14 @@ ADMX Info:
**ADMX_Desktop/NoPropertiesMyComputer**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1010,19 +718,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer.
+This setting hides Properties on the context menu for Computer.
If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected.
If you disable or do not configure this setting, the Properties option is displayed as usual.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1039,32 +742,14 @@ ADMX Info:
**ADMX_Desktop/NoPropertiesMyDocuments**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1079,7 +764,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon.
+This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon.
If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following:
@@ -1090,12 +775,7 @@ If you enable this policy setting, the Properties menu command will not be displ
If you disable or do not configure this policy setting, the Properties menu command is displayed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1112,32 +792,14 @@ ADMX Info:
**ADMX_Desktop/NoRecentDocsNetHood**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1152,19 +814,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder.
+Remote shared folders are not added to Network Locations whenever you open a document in the shared folder.
If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations.
If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1181,32 +838,14 @@ ADMX Info:
**ADMX_Desktop/NoRecycleBinIcon**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1221,7 +860,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon.
+Removes most occurrences of the Recycle Bin icon.
This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.
@@ -1231,12 +870,6 @@ This setting does not prevent the user from using other methods to gain access t
> To make changes to this setting effective, you must log off and then log back on.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1253,32 +886,14 @@ ADMX Info:
**ADMX_Desktop/NoRecycleBinProperties**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1293,19 +908,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu.
+Removes the Properties option from the Recycle Bin context menu.
If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected.
If you disable or do not configure this setting, the Properties option is displayed as usual.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1322,32 +932,14 @@ ADMX Info:
**ADMX_Desktop/NoSaveSettings**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1362,17 +954,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop.
+Prevents users from saving certain changes to the desktop.
If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1389,32 +976,14 @@ ADMX Info:
**ADMX_Desktop/NoWindowMinimizingShortcuts**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1429,19 +998,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse.
+Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse.
If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse.
If you disable or do not configure this policy, this window minimizing and restoring gesture will apply.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1458,32 +1021,14 @@ ADMX Info:
**ADMX_Desktop/Wallpaper**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1498,7 +1043,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops.
+Specifies the desktop background ("wallpaper") displayed on all users' desktops.
This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file.
@@ -1512,12 +1057,6 @@ Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Pr
> This setting does not apply to remote desktop server sessions.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1534,32 +1073,14 @@ ADMX Info:
**ADMX_Desktop/sz_ATC_DisableAdd**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1574,19 +1095,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop.
+Prevents users from adding Web content to their Active Desktop.
This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content.
Also, see the "Disable all items" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1603,32 +1118,14 @@ ADMX Info:
**ADMX_Desktop/sz_ATC_DisableClose**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1643,7 +1140,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop.
+Prevents users from removing Web content from their Active Desktop.
In Active Desktop, you can add items to the desktop but close them so they are not displayed.
@@ -1653,12 +1150,7 @@ If you enable this setting, items added to the desktop cannot be closed; they al
> This setting does not prevent users from deleting items from their Active Desktop.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1675,32 +1167,14 @@ ADMX Info:
**ADMX_Desktop/sz_ATC_DisableDel**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1715,7 +1189,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop.
+Prevents users from deleting Web content from their Active Desktop.
This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop.
@@ -1724,12 +1198,7 @@ This setting does not prevent users from adding Web content to their Active Desk
Also, see the "Prohibit closing items" and "Disable all items" settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1746,32 +1215,14 @@ ADMX Info:
**ADMX_Desktop/sz_ATC_DisableEdit**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1786,17 +1237,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop.
+Prevents users from changing the properties of Web content items on their Active Desktop.
This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1813,32 +1259,14 @@ ADMX Info:
**ADMX_Desktop/sz_ATC_NoComponents**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1853,7 +1281,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content.
+Removes Active Desktop content and prevents users from adding Active Desktop content.
This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop.
@@ -1861,12 +1289,7 @@ This setting removes all Active Desktop items from the desktop. It also removes
> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1883,32 +1306,14 @@ ADMX Info:
**ADMX_Desktop/sz_AdminComponents_Title**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1923,7 +1328,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items.
+Adds and deletes specified Web content items.
You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed.
@@ -1936,12 +1341,7 @@ You can also use this setting to delete particular Web-based items from users' d
> For this setting to take affect, you must log off and log on to the system.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1958,32 +1358,14 @@ ADMX Info:
**ADMX_Desktop/sz_DB_DragDropClose**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1998,7 +1380,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars.
+Prevents users from manipulating desktop toolbars.
If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.
@@ -2011,12 +1393,7 @@ If you enable this setting, users cannot add or remove toolbars from the desktop
Also, see the "Prohibit adjusting desktop toolbars" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2033,32 +1410,14 @@ ADMX Info:
**ADMX_Desktop/sz_DB_Moving**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2073,7 +1432,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars.
+Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars.
This setting does not prevent users from adding or removing toolbars on the desktop.
@@ -2083,12 +1442,7 @@ This setting does not prevent users from adding or removing toolbars on the desk
Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2105,32 +1459,14 @@ ADMX Info:
**ADMX_Desktop/sz_DWP_NoHTMLPaper**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2145,17 +1481,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".
+Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".
Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2168,7 +1499,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md
index f53dd522fc..b1ccc54155 100644
--- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_DeviceCompat
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -37,37 +41,14 @@ manager: dansimp
**ADMX_DeviceCompat/DeviceFlags**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -85,12 +66,6 @@ manager: dansimp
Changes behavior of Microsoft bus drivers to work with specific devices.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -107,37 +82,14 @@ ADMX Info:
**ADMX_DeviceCompat/DriverShims**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -155,12 +107,6 @@ ADMX Info:
Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
index 079455128a..4740213341 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DeviceGuard
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,39 +39,14 @@ manager: dansimp
**ADMX_DeviceGuard/ConfigCIPolicy**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -95,12 +75,6 @@ If using a signed and protected policy then disabling this policy setting doesn'
2. Disable the setting and then remove the policy from each computer, with a physically present user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -112,8 +86,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
index 470b11eb3f..ff64f14635 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DeviceInstallation
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -55,32 +60,14 @@ manager: dansimp
**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -95,19 +82,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.
+This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.
If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -124,32 +106,14 @@ ADMX Info:
**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -164,19 +128,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation.
+This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation.
If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation.
If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -193,32 +152,14 @@ ADMX Info:
**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -233,19 +174,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation.
+This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation.
If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.
If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -262,32 +198,14 @@ ADMX Info:
**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -302,19 +220,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete.
+This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete.
If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation.
If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -331,32 +244,14 @@ ADMX Info:
**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -371,7 +266,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.
+This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.
If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot.
@@ -380,12 +275,7 @@ If you disable or do not configure this policy setting, the system does not forc
Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -402,32 +292,14 @@ ADMX Info:
**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -442,18 +314,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -470,32 +337,14 @@ ADMX Info:
**ADMX_DeviceInstallation/DeviceInstall_SystemRestore**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -510,19 +359,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity.
+This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity.
If you enable this policy setting, Windows does not create a system restore point when one would normally be created.
If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -539,32 +383,14 @@ ADMX Info:
**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -579,7 +405,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system.
+This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system.
If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store.
@@ -587,12 +413,7 @@ If you disable or do not configure this policy setting, only members of the Admi
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -605,6 +426,4 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
index 8816d46b2e..512dd58e38 100644
--- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DeviceSetup
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -37,32 +42,14 @@ manager: dansimp
**ADMX_DeviceSetup/DeviceInstall_BalloonTips**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -77,19 +64,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation.
+This policy setting allows you to turn off "Found New Hardware" balloons during device installation.
If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.
If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -106,32 +88,14 @@ ADMX Info:
**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -146,7 +110,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers.
+This policy setting allows you to specify the order in which Windows searches source locations for device drivers.
If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all.
@@ -155,12 +119,6 @@ Note that searching always implies that Windows will attempt to search Windows U
If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -173,7 +131,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md
index fc3cdf1b1d..49774e691d 100644
--- a/windows/client-management/mdm/policy-csp-admx-dfs.md
+++ b/windows/client-management/mdm/policy-csp-admx-dfs.md
@@ -13,10 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DFS
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -35,38 +38,14 @@ manager: dansimp
**ADMX_DFS/DFSDiscoverDC**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -93,12 +72,6 @@ This value is specified in minutes.
> The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -111,8 +84,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
index b41032d0f8..4c11d25bbd 100644
--- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md
+++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DigitalLocker
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -37,32 +42,14 @@ manager: dansimp
**ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -77,7 +64,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run.
+This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
@@ -86,12 +73,7 @@ If you enable this setting, Digital Locker will not run.
If you disable or do not configure this setting, Digital Locker can be run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -108,32 +90,14 @@ ADMX Info:
**ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -148,7 +112,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run.
+This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
@@ -157,12 +121,7 @@ If you enable this setting, Digital Locker will not run.
If you disable or do not configure this setting, Digital Locker can be run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -175,8 +134,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
index eecf8264d6..312e6550d5 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DiskDiagnostic
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -37,37 +42,14 @@ manager: dansimp
**ADMX_DiskDiagnostic/DfdAlertPolicy**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -96,12 +78,6 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -119,37 +95,14 @@ ADMX Info:
**ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -179,12 +132,6 @@ This policy setting takes effect only when the DPS is in the running state. When
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -197,8 +144,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are for upcoming release.
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
new file mode 100644
index 0000000000..9870b6aebc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
@@ -0,0 +1,194 @@
+---
+title: Policy CSP - ADMX_DiskNVCache
+description: Policy CSP - ADMX_DiskNVCache
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DiskNVCache
+
+
+
+
+
+## ADMX_DiskNVCache policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+
+**ADMX_DiskNVCache/BootResumePolicy**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.
+
+If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.
+
+If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume.
+The system determines the data that will be stored in the NV cache to optimize boot and resume.
+
+The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations.
+
+This policy setting is applicable only if the NV cache feature is on.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off boot and resume optimizations*
+- GP name: *BootResumePolicy*
+- GP path: *System\Disk NV Cache*
+- GP ADMX file name: *DiskNVCache.admx*
+
+
+
+
+
+**ADMX_DiskNVCache/FeatureOffPolicy**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system.
+
+To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache.
+
+If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode.
+
+If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured.
+
+This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
+
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off non-volatile cache feature*
+- GP name: *FeatureOffPolicy*
+- GP path: *System\Disk NV Cache*
+- GP ADMX file name: *DiskNVCache.admx*
+
+
+
+
+
+
+
+**ADMX_DiskNVCache/SolidStatePolicy**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting turns off the solid state mode for the hybrid hard disks.
+
+If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache.
+
+If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power.
+
+This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off solid state mode*
+- GP name: *SolidStatePolicy*
+- GP path: *System\Disk NV Cache*
+- GP ADMX file name: *DiskNVCache.admx*
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md
new file mode 100644
index 0000000000..1d103968db
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md
@@ -0,0 +1,356 @@
+---
+title: Policy CSP - ADMX_DiskQuota
+description: Policy CSP - ADMX_DiskQuota
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DiskQuota
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+## ADMX_DiskQuota policies
+
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_RemovableMedia**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media.
+
+If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
+
+When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Apply policy to removable media*
+- GP name: *DQ_RemovableMedia*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_Enable**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.
+
+If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.
+
+If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on.
+
+To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes.
+
+This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit.
+
+To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
+
+To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management."
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable disk quotas*
+- GP name: *DQ_Enable*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_Enforce**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting.
+
+If you enable this policy setting, disk quota limits are enforced.
+
+If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect.
+
+If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available.
+
+This policy setting overrides user settings that enable or disable quota enforcement on their volumes.
+
+To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enforce disk quota limit*
+- GP name: *DQ_Enforce*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_LogEventOverLimit**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting.
+
+If you enable this policy setting, the system records an event when the user reaches their limit.
+
+If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting.
+
+This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes.
+
+To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Log event when quota limit is exceeded*
+- GP name: *DQ_LogEventOverLimit*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_LogEventOverThreshold**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume.
+
+If you enable this policy setting, the system records an event.
+
+If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect.
+
+If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes.
+
+To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Log event when quota warning level is exceeded*
+- GP name: *DQ_LogEventOverThreshold*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_Limit**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting specifies the default disk quota limit and warning level for new users of the volume.
+This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit.
+
+This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab.
+This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
+
+If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.
+
+This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Specify default quota limit and warning level*
+- GP name: *DQ_Limit*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
index 1151c3fbae..89280b4e3d 100644
--- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
+++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DistributedLinkTracking
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,32 +39,14 @@ manager: dansimp
**ADMX_DistributedLinkTracking/DLT_AllowDomainMode**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -74,7 +61,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers.
+This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers.
The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer.
The DLT client can more reliably track links when allowed to use the DLT server.
This policy should not be set unless the DLT server is running on all domain controllers in the domain.
@@ -83,12 +70,6 @@ This policy should not be set unless the DLT server is running on all domain con
> This policy setting applies to all sites in Trusted zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -101,8 +82,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index 6d020b3a32..1048f89d4f 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -14,8 +14,12 @@ manager: dansimp
# Policy CSP - ADMX_DnsClient
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -97,32 +101,14 @@ manager: dansimp
**ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -137,19 +123,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.
+This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.
If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names.
If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -165,32 +146,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_AppendToMultiLabelName**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -205,7 +168,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.
@@ -220,12 +183,6 @@ If you disable this policy setting, no suffixes are appended to unqualified mult
If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -242,32 +199,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_Domain**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -282,19 +221,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
+This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -311,32 +245,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_DomainNameDevolutionLevel**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -351,7 +267,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
+This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
@@ -375,12 +291,7 @@ If you enable this policy setting and DNS devolution is also enabled, DNS client
If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -398,32 +309,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_IdnEncoding**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -438,19 +331,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
+This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
If this policy setting is enabled, IDNs are not converted to Punycode.
If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -467,32 +355,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_IdnMapping**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -507,19 +377,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
+This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
If this policy setting is enabled, IDNs are converted to the Nameprep form.
If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -536,32 +401,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_NameServer**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -576,7 +423,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
+This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
@@ -585,12 +432,7 @@ If you enable this policy setting, the list of DNS servers is applied to all net
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -607,32 +449,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -647,7 +471,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
@@ -657,12 +481,6 @@ If you disable this policy setting, or if you do not configure this policy setti
> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -680,32 +498,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_PrimaryDnsSuffix**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -720,7 +520,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
+This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
@@ -733,12 +533,7 @@ You can use this policy setting to prevent users, including local administrators
If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -755,32 +550,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_RegisterAdapterName**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -795,7 +572,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
+This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
@@ -807,12 +584,7 @@ Important: This policy setting is ignored on a DNS client computer if dynamic DN
If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -829,32 +601,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_RegisterReverseLookup**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -869,7 +623,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records.
+This policy setting specifies if DNS client computers will register PTR resource records.
By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
@@ -883,12 +637,7 @@ To use this policy setting, click Enabled, and then select one of the following
If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -905,32 +654,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_RegistrationEnabled**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -945,19 +676,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
+This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -974,32 +700,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1014,7 +722,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
+This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
@@ -1025,12 +733,7 @@ If you enable this policy setting or if you do not configure this policy setting
If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1047,32 +750,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_RegistrationRefreshInterval**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1087,7 +772,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
+This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
@@ -1101,12 +786,7 @@ If you enable this policy setting, registration refresh interval that you specif
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1123,32 +803,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_RegistrationTtl**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1163,7 +825,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
+This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
@@ -1172,12 +834,7 @@ If you enable this policy setting, the TTL value that you specify will be applie
If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1194,32 +851,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_SearchList**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1234,7 +873,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
+This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
@@ -1247,12 +886,7 @@ If you enable this policy setting, one DNS suffix is attached at a time for each
If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1270,32 +904,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1310,19 +926,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
+This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1339,32 +950,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_SmartProtocolReorder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1379,7 +972,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
@@ -1389,12 +982,6 @@ If you disable this policy setting, or if you do not configure this policy setti
> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1411,32 +998,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_UpdateSecurityLevel**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1451,7 +1020,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates.
+This policy setting specifies the security level for dynamic DNS updates.
To use this policy setting, click Enabled and then select one of the following values:
@@ -1464,12 +1033,7 @@ If you enable this policy setting, computers that attempt to send dynamic DNS up
If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1486,32 +1050,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1526,7 +1072,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
+This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
@@ -1535,12 +1081,7 @@ If you enable this policy setting, computers send dynamic updates to any zone th
If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1557,32 +1098,14 @@ ADMX Info:
**ADMX_DnsClient/DNS_UseDomainNameDevolution**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1597,7 +1120,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
+This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
@@ -1622,12 +1145,7 @@ If you enable this policy setting, or if you do not configure this policy settin
If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1644,32 +1162,14 @@ ADMX Info:
**ADMX_DnsClient/Turn_Off_Multicast**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1684,7 +1184,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
+This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
@@ -1693,12 +1193,7 @@ If you enable this policy setting, LLMNR will be disabled on all available netwo
If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1710,7 +1205,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md
index ad2161edfc..f1be9bb199 100644
--- a/windows/client-management/mdm/policy-csp-admx-dwm.md
+++ b/windows/client-management/mdm/policy-csp-admx-dwm.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_DWM
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -49,32 +54,14 @@ manager: dansimp
**ADMX_DWM/DwmDefaultColorizationColor_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -89,7 +76,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color.
+This policy setting controls the default color for window frames when the user does not specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
@@ -99,12 +86,6 @@ If you disable or do not configure this policy setting, the default internal col
> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -122,32 +103,14 @@ ADMX Info:
**ADMX_DWM/DwmDefaultColorizationColor_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -162,7 +125,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color.
+This policy setting controls the default color for window frames when the user does not specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
@@ -172,12 +135,7 @@ If you disable or do not configure this policy setting, the default internal col
> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -194,32 +152,14 @@ ADMX Info:
**ADMX_DWM/DwmDisallowAnimations_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -234,7 +174,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
+This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
If you enable this policy setting, window animations are turned off.
@@ -243,12 +183,7 @@ If you disable or do not configure this policy setting, window animations are tu
Changing this policy setting requires a logoff for it to be applied.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -265,32 +200,14 @@ ADMX Info:
**ADMX_DWM/DwmDisallowAnimations_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -305,7 +222,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
+This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
If you enable this policy setting, window animations are turned off.
@@ -314,12 +231,7 @@ If you disable or do not configure this policy setting, window animations are tu
Changing this policy setting requires a logoff for it to be applied.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -336,32 +248,14 @@ ADMX Info:
**ADMX_DWM/DwmDisallowColorizationColorChanges_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -376,7 +270,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames.
+This policy setting controls the ability to change the color of window frames.
If you enable this policy setting, you prevent users from changing the default window frame color.
@@ -386,12 +280,7 @@ If you disable or do not configure this policy setting, you allow users to chang
> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -408,32 +297,14 @@ ADMX Info:
**ADMX_DWM/DwmDisallowColorizationColorChanges_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -448,7 +319,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames.
+This policy setting controls the ability to change the color of window frames.
If you enable this policy setting, you prevent users from changing the default window frame color.
@@ -458,12 +329,6 @@ If you disable or do not configure this policy setting, you allow users to chang
> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -476,7 +341,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md
index 454bd47f86..cad865a77f 100644
--- a/windows/client-management/mdm/policy-csp-admx-eaime.md
+++ b/windows/client-management/mdm/policy-csp-admx-eaime.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_EAIME
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -67,32 +72,14 @@ manager: dansimp
**ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -107,7 +94,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists.
+This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists.
If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists.
@@ -119,12 +106,7 @@ This policy setting applies to Japanese Microsoft IME only.
> Changes to this setting will not take effect until the user logs off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -141,32 +123,14 @@ ADMX Info:
**ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -181,7 +145,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter.
+This policy setting allows you to restrict character code range of conversion by setting character filter.
If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values:
@@ -205,12 +169,7 @@ This policy setting applies to Japanese Microsoft IME only.
> Changes to this setting will not take effect until the user logs off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -227,32 +186,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOffCustomDictionary**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -267,7 +208,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary.
+This policy setting allows you to turn off the ability to use a custom dictionary.
If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion.
@@ -281,12 +222,7 @@ This policy setting is applied to Japanese Microsoft IME.
> Changes to this setting will not take effect until the user logs off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -303,32 +239,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -343,7 +261,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input.
+This policy setting allows you to turn off history-based predictive input.
If you enable this policy setting, history-based predictive input is turned off.
@@ -355,12 +273,6 @@ This policy setting applies to Japanese Microsoft IME only.
> Changes to this setting will not take effect until the user logs off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -377,32 +289,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOffInternetSearchIntegration**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -417,7 +311,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration.
+This policy setting allows you to turn off Internet search integration.
Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME.
@@ -431,12 +325,7 @@ This policy setting applies to Japanese Microsoft IME.
> Changes to this setting will not take effect until the user logs off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -453,32 +342,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOffOpenExtendedDictionary**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -493,7 +364,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary.
+This policy setting allows you to turn off Open Extended Dictionary.
If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary.
@@ -504,12 +375,7 @@ If you disable or do not configure this policy setting, Open Extended Dictionary
This policy setting is applied to Japanese Microsoft IME.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -526,32 +392,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -566,7 +414,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file.
+This policy setting allows you to turn off saving the auto-tuning result to file.
If you enable this policy setting, the auto-tuning data is not saved to file.
@@ -575,12 +423,7 @@ If you disable or do not configure this policy setting, auto-tuning data is save
This policy setting applies to Japanese Microsoft IME only.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -597,32 +440,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOnCloudCandidate**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -637,7 +462,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
+This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off.
@@ -648,12 +473,7 @@ If you don't configure this policy setting, it will be turned off by default, an
This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -670,32 +490,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOnCloudCandidateCHS**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -710,7 +512,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
+This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off.
@@ -721,12 +523,7 @@ If you don't configure this policy setting, it will be turned off by default, an
This Policy setting applies only to Microsoft CHS Pinyin IME.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -743,32 +540,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOnLexiconUpdate**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -783,7 +562,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC.
+This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC.
If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings.
@@ -794,12 +573,7 @@ If you don't configure this policy setting, it will be turned on by default, and
This Policy setting applies only to Microsoft CHS Pinyin IME.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -816,32 +590,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOnLiveStickers**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -856,7 +612,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online.
+This policy setting controls the live sticker feature, which uses an online service to provide stickers online.
If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off.
@@ -867,12 +623,7 @@ If you don't configure this policy setting, it will be turned off by default, an
This Policy setting applies only to Microsoft CHS Pinyin IME.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -889,32 +640,14 @@ ADMX Info:
**ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -929,7 +662,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report.
+This policy setting allows you to turn on logging of misconversion for the misconversion report.
If you enable this policy setting, misconversion logging is turned on.
@@ -938,12 +671,7 @@ If you disable or do not configure this policy setting, misconversion logging is
This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -956,7 +684,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
index d5cdf442da..692228300f 100644
--- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
+++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_EncryptFilesonMove
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,32 +39,14 @@ manager: dansimp
**ADMX_EncryptFilesonMove/NoEncryptOnMove**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -74,7 +61,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.
+This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.
If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.
@@ -83,12 +70,7 @@ If you disable or do not configure this policy setting, File Explorer automatica
This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -101,8 +83,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
index a77d1438d2..c105cd1d14 100644
--- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_EnhancedStorage
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -49,32 +54,14 @@ manager: dansimp
**ADMX_EnhancedStorage/ApprovedEnStorDevices**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -89,19 +76,13 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer.
+This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer.
If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer.
If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -118,32 +99,14 @@ ADMX Info:
**ADMX_EnhancedStorage/ApprovedSilos**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -158,19 +121,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer.
+This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer.
If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.
If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -187,32 +144,14 @@ ADMX Info:
**ADMX_EnhancedStorage/DisablePasswordAuthentication**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -227,19 +166,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.
+This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.
If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device.
If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -256,32 +189,14 @@ ADMX Info:
**ADMX_EnhancedStorage/DisallowLegacyDiskDevices**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -296,19 +211,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.
+This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.
If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer.
If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -325,32 +234,14 @@ ADMX Info:
**ADMX_EnhancedStorage/LockDeviceOnMachineLock**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -365,7 +256,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked.
+This policy setting locks Enhanced Storage devices when the computer is locked.
This policy setting is supported in Windows Server SKUs only.
@@ -374,12 +265,6 @@ If you enable this policy setting, the Enhanced Storage device remains locked wh
If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -396,32 +281,14 @@ ADMX Info:
**ADMX_EnhancedStorage/RootHubConnectedEnStorDevices**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -436,19 +303,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device.
+This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device.
If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed.
If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -461,8 +322,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
index f54ecfc994..94c3b17642 100644
--- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
@@ -13,14 +13,19 @@ manager: dansimp
---
# Policy CSP - ADMX_ErrorReporting
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_ErrorReporting policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -158,7 +145,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled.
+This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled.
If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors.
@@ -171,12 +158,6 @@ This policy setting is ignored if the Configure Error Reporting policy setting i
For related information, see the Configure Error Reporting and Report Operating System Errors policy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -193,32 +174,14 @@ ADMX Info:
**ADMX_ErrorReporting/PCH_AllOrNoneEx**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -233,7 +196,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
+This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors.
@@ -242,12 +205,6 @@ If this policy setting is enabled, the Exclude errors for applications on this l
If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -264,32 +221,14 @@ ADMX Info:
**ADMX_ErrorReporting/PCH_AllOrNoneInc**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -304,7 +243,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies applications for which Windows Error Reporting should always report errors.
+This policy setting specifies applications for which Windows Error Reporting should always report errors.
To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors.
@@ -319,12 +258,7 @@ Also see the "Default Application Reporting" and "Application Exclusion List" po
This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -341,32 +275,14 @@ ADMX Info:
**ADMX_ErrorReporting/PCH_ConfigureReport**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -381,7 +297,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled.
+This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled.
This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
@@ -409,12 +325,6 @@ If you disable this policy setting, configuration settings in the policy setting
See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -431,32 +341,14 @@ ADMX Info:
**ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -471,7 +363,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled.
+This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled.
If you enable this policy setting, Windows Error Reporting includes operating system errors.
@@ -482,12 +374,6 @@ If you do not configure this policy setting, users can change this setting in Co
See also the Configure Error Reporting policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -504,32 +390,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerArchive_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -544,19 +412,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive.
+This policy setting controls the behavior of the Windows Error Reporting archive.
If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.
If you disable or do not configure this policy setting, no Windows Error Reporting information is stored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -573,32 +435,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerArchive_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|No|No|
@@ -613,19 +457,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive.
+This policy setting controls the behavior of the Windows Error Reporting archive.
If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.
If you disable or do not configure this policy setting, no Windows Error Reporting information is stored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -642,32 +480,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerAutoApproveOSDumps_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -682,19 +502,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps.
+This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps.
If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.
If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -711,32 +525,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerAutoApproveOSDumps_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|No|No|
@@ -751,20 +547,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps.
+This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps.
If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.
If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Automatically send memory dumps for OS-generated error reports*
@@ -780,32 +568,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerBypassDataThrottling_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -820,19 +590,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server.
+This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server.
If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report.
If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -849,32 +613,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerBypassDataThrottling_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -889,19 +635,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server.
+This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server.
If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report.
If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -918,32 +658,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -958,19 +680,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network.
+This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network.
If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted.
If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -987,32 +703,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1027,19 +725,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network.
+This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network.
If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted.
If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1056,32 +748,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerBypassPowerThrottling_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1096,19 +770,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source.
+This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source.
If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally.
If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1125,32 +793,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerBypassPowerThrottling_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1165,19 +815,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source.
+This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source.
If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally.
If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1194,32 +838,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerCER**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1234,19 +860,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft).
+This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft).
If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission.
If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1263,32 +883,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerConsentCustomize_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1303,7 +905,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
+This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
@@ -1320,12 +922,6 @@ If you enable this policy setting, you can add specific event types to a list by
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1342,32 +938,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerConsentOverride_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|No|
+|Education|Yes|Yes|
@@ -1382,19 +960,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.
+This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.
If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting.
If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1411,32 +983,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerConsentOverride_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1451,19 +1005,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.
+This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.
If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting.
If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1480,32 +1028,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerDefaultConsent_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1520,7 +1050,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting.
+This policy setting determines the default consent behavior of Windows Error Reporting.
If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting:
@@ -1535,12 +1065,6 @@ If you enable this policy setting, you can set the default consent handling for
If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1557,32 +1081,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerDefaultConsent_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1597,7 +1103,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting.
+This policy setting determines the default consent behavior of Windows Error Reporting.
If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting:
@@ -1612,12 +1118,6 @@ If you enable this policy setting, you can set the default consent handling for
If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1634,32 +1134,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerDisable_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1674,19 +1156,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
+This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1703,32 +1179,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerExlusion_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1743,7 +1201,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
+This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
@@ -1751,12 +1209,6 @@ If you disable or do not configure this policy setting, errors are reported on a
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1773,32 +1225,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerExlusion_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1813,19 +1247,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
+This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1842,32 +1270,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerNoLogging_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1882,19 +1292,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.
+This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.
If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log.
If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1911,32 +1315,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerNoLogging_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1951,19 +1337,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.
+This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.
If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log.
If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1980,32 +1360,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerNoSecondLevelData_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2020,19 +1382,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
+This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2049,32 +1405,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerQueue_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2089,7 +1427,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue.
+This policy setting determines the behavior of the Windows Error Reporting report queue.
If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel.
@@ -2098,12 +1436,6 @@ The Maximum number of reports to queue setting determines how many reports can b
If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2120,32 +1452,14 @@ ADMX Info:
**ADMX_ErrorReporting/WerQueue_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2160,7 +1474,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue.
+This policy setting determines the behavior of the Windows Error Reporting report queue.
If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel.
@@ -2169,12 +1483,6 @@ The Maximum number of reports to queue setting determines how many reports can b
If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2187,7 +1495,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
index bd419345c7..a8280b059d 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -14,14 +14,19 @@ manager: dansimp
# Policy CSP - ADMX_EventForwarding
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_EventForwarding policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -78,7 +65,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.
+This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.
If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.
@@ -87,12 +74,7 @@ If you disable or do not configure this policy setting, forwarder resource usage
This setting applies across all subscriptions for the forwarder (source computer).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -111,32 +93,14 @@ ADMX Info:
**ADMX_EventForwarding/SubscriptionManager**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -151,7 +115,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.
+This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.
If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.
@@ -167,12 +131,6 @@ When using the HTTP protocol, use port 5985.
If you disable or do not configure this policy setting, the Event Collector computer will not be specified.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -185,8 +143,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md
index 7c171edf2e..6ecf8c9c31 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlog.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@@ -13,14 +13,19 @@ manager: dansimp
---
# Policy CSP - ADMX_EventLog
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_EventLog policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -134,19 +121,13 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns on logging.
+This policy setting turns on logging.
If you enable or do not configure this policy setting, then events can be written to this log.
If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -163,32 +144,14 @@ ADMX Info:
**ADMX_EventLog/Channel_LogFilePath_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -203,19 +166,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
+This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -232,32 +189,14 @@ ADMX Info:
**ADMX_EventLog/Channel_LogFilePath_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -272,19 +211,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
+This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -301,32 +234,14 @@ ADMX Info:
**ADMX_EventLog/Channel_LogFilePath_3**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -341,19 +256,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
+This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -370,32 +279,14 @@ ADMX Info:
**ADMX_EventLog/Channel_LogFilePath_4**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -410,19 +301,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
+This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -439,32 +324,14 @@ ADMX Info:
**ADMX_EventLog/Channel_LogMaxSize_3**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -479,19 +346,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size of the log file in kilobytes.
+This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -508,32 +369,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_AutoBackup_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -548,7 +391,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
+This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
@@ -557,12 +400,6 @@ If you disable this policy setting and the "Retain old events" policy setting is
If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -579,32 +416,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_AutoBackup_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -619,7 +438,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
+This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
@@ -628,12 +447,6 @@ If you disable this policy setting and the "Retain old events" policy setting is
If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -650,32 +463,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_AutoBackup_3**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -690,7 +485,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
+This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
@@ -699,12 +494,6 @@ If you disable this policy setting and the "Retain old events" policy setting is
If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -721,32 +510,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_AutoBackup_4**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -761,7 +532,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
+This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
@@ -770,12 +541,6 @@ If you disable this policy setting and the "Retain old events" policy setting is
If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -792,32 +557,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_FileLogAccess_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -832,7 +579,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
+This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
If you enable this policy setting, only those users matching the security descriptor can access the log.
@@ -842,12 +589,6 @@ If you disable or do not configure this policy setting, all authenticated users
> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -864,32 +605,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_FileLogAccess_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -904,7 +627,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
+This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log.
@@ -914,12 +637,6 @@ If you disable or do not configure this policy setting, only system software and
> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -936,32 +653,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_FileLogAccess_3**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -976,7 +675,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
+This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
If you enable this policy setting, only those users matching the security descriptor can access the log.
@@ -986,12 +685,6 @@ If you disable or do not configure this policy setting, all authenticated users
> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1008,32 +701,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_FileLogAccess_4**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1048,7 +723,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
+This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
If you enable this policy setting, only users whose security descriptor matches the configured value can access the log.
@@ -1058,12 +733,6 @@ If you disable or do not configure this policy setting, only system software and
> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1080,32 +749,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_FileLogAccess_5**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1120,7 +771,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
+This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
If you enable this policy setting, only those users matching the security descriptor can access the log.
@@ -1129,12 +780,6 @@ If you disable this policy setting, all authenticated users and system services
If you do not configure this policy setting, the previous policy setting configuration remains in effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1151,32 +796,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_FileLogAccess_6**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1191,7 +818,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log.
+This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log.
If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log.
@@ -1200,12 +827,6 @@ If you disable this policy setting, only system software and administrators can
If you do not configure this policy setting, the previous policy setting configuration remains in effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1222,32 +843,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_FileLogAccess_7**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1262,7 +865,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
+This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
If you enable this policy setting, only those users matching the security descriptor can access the log.
@@ -1271,12 +874,6 @@ If you disable this policy setting, all authenticated users and system services
If you do not configure this policy setting, the previous policy setting configuration remains in effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1293,32 +890,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_FileLogAccess_8**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1333,7 +912,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
+This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
If you enable this policy setting, only users whose security descriptor matches the configured value can access the log.
@@ -1342,12 +921,6 @@ If you disable this policy setting, only system software and administrators can
If you do not configure this policy setting, the previous policy setting configuration remains in effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1364,32 +937,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_Retention_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|No|
+|Education|Yes|Yes|
@@ -1404,7 +959,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size.
+This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
@@ -1413,12 +968,6 @@ If you disable or do not configure this policy setting and a log file reaches it
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1435,32 +984,14 @@ ADMX Info:
**ADMX_EventLog/Channel_Log_Retention_3**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1475,7 +1006,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size.
+This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
@@ -1484,12 +1015,6 @@ If you disable or do not configure this policy setting and a log file reaches it
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1503,35 +1028,18 @@ ADMX Info:
-**ADMX_EventLog/Channel_Log_Retention_4**
+**ADMX_EventLog/Channel_Log_Retention_4**
+
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1546,7 +1054,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size.
+This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
@@ -1555,12 +1063,6 @@ If you disable or do not configure this policy setting and a log file reaches it
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1573,7 +1075,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md
index f5b94b93f3..5139f4db6e 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_EventLogging
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,38 +39,14 @@ manager: dansimp
**ADMX_EventLogging/EnableProtectedEventLogging**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -89,12 +70,6 @@ You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypte
- If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -107,8 +82,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md
index d153f1ca58..69eeef1d15 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_EventViewer
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -40,38 +45,14 @@ manager: dansimp
**ADMX_EventViewer/EventViewer_RedirectionProgram**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -89,13 +70,8 @@ manager: dansimp
This is the program that will be invoked when the user clicks the `events.asp` link.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
ADMX Info:
- GP Friendly name: *Events.asp program*
@@ -111,38 +87,14 @@ ADMX Info:
**ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -160,12 +112,6 @@ ADMX Info:
This specifies the command line parameters that will be passed to the `events.asp` program.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -182,38 +128,14 @@ ADMX Info:
**ADMX_EventViewer/EventViewer_RedirectionURL**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -232,13 +154,7 @@ This is the URL that will be passed to the Description area in the Event Propert
Change this value if you want to use a different Web server to handle event information requests.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md
index be619c2c3b..9989e26418 100644
--- a/windows/client-management/mdm/policy-csp-admx-explorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@@ -13,14 +13,19 @@ manager: dansimp
---
# Policy CSP - ADMX_Explorer
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_Explorer policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -86,15 +73,9 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy.
+Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -111,32 +92,14 @@ ADMX Info:
**ADMX_Explorer/AlwaysShowClassicMenu**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -163,14 +126,6 @@ If you disable or do not configure this policy setting, the menu bar will not be
> [!NOTE]
> When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Display the menu bar in File Explorer*
@@ -186,32 +141,14 @@ ADMX Info:
**ADMX_Explorer/DisableRoamedProfileInit**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -226,17 +163,11 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values.
+This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values.
If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -253,32 +184,14 @@ ADMX Info:
**ADMX_Explorer/PreventItemCreationInUsersFilesFolder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -293,7 +206,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer.
+This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer.
If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer.
@@ -303,12 +216,6 @@ If you disable or do not configure this policy setting, users will be able to ad
> Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -325,32 +232,14 @@ ADMX Info:
**ADMX_Explorer/TurnOffSPIAnimations**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -365,15 +254,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios.
+This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -386,6 +269,4 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md
index 24c4aeecbe..7b5fcf2e88 100644
--- a/windows/client-management/mdm/policy-csp-admx-externalboot.md
+++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md
@@ -14,8 +14,12 @@ manager: dansimp
# Policy CSP - ADMX_ExternalBoot
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -43,38 +47,14 @@ manager: dansimp
**ADMX_ExternalBoot/PortableOperatingSystem_Hibernate**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -98,12 +78,6 @@ This policy specifies whether the PC can use the hibernation sleep state (S4) wh
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -121,37 +95,14 @@ ADMX Info:
**ADMX_ExternalBoot/PortableOperatingSystem_Sleep**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -174,13 +125,6 @@ If you disable or do not configure this setting, Windows, when started from a Wi
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace*
@@ -197,38 +141,14 @@ ADMX Info:
**ADMX_ExternalBoot/PortableOperatingSystem_Launcher**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -253,13 +173,6 @@ If you do not configure this setting, users who are members of the Administrator
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Windows To Go Default Startup Options*
diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
index 7f2635d2ab..a32fa9863a 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
@@ -13,9 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_FileRecovery
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -32,32 +36,14 @@ manager: dansimp
**ADMX_FileRecovery/WdiScenarioExecutionPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -75,12 +61,7 @@ manager: dansimp
> This policy setting applies to all sites in Trusted zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -90,8 +71,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
index a36aca27de..f2085397e4 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_FileRevocation
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -32,39 +37,14 @@ manager: dansimp
**ADMX_FileRevocation/DelegatedPackageFamilyNames**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -90,12 +70,6 @@ Any other Windows Runtime application will only be able to revoke access to cont
> Information the user should notice even if skimmingFile revocation applies to all content protected under the same second level domain as the provided enterprise identifier. Therefore, revoking an enterprise ID of `mail.contoso.com` will revoke the user’s access to all content protected under the contoso.com hierarchy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -108,8 +82,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
index 2896e4cc5a..5fad886bbd 100644
--- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
+++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_FileServerVSSProvider
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,32 +39,14 @@ manager: dansimp
**ADMX_FileServerVSSProvider/Pol_EncryptProtocol**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -74,7 +61,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled.
+This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled.
VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares.
@@ -84,12 +71,6 @@ By default, the RPC protocol message between File Server VSS provider and File S
> To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -102,8 +83,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
index 079c55e92e..edfeb52c50 100644
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -13,13 +13,18 @@ manager: dansimp
---
# Policy CSP - ADMX_FileSys
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-## ADMX_FileSys policies
+## ADMX_FileSys policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -93,15 +80,10 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.
+Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -117,32 +99,14 @@ ADMX Info:
**ADMX_FileSys/DisableDeleteNotification**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -157,19 +121,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation.
+Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation.
A value of 0, the default, will enable delete notifications for all volumes.
A value of 1 will disable delete notifications for all volumes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -184,32 +142,14 @@ ADMX Info:
**ADMX_FileSys/DisableEncryption**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -224,15 +164,8 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files.
+Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -247,32 +180,14 @@ ADMX Info:
**ADMX_FileSys/EnablePagefileEncryption**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -287,15 +202,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
+Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -310,32 +219,14 @@ ADMX Info:
**ADMX_FileSys/LongPathsEnabled**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -350,15 +241,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process.
+Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -373,32 +258,14 @@ ADMX Info:
**ADMX_FileSys/ShortNameCreationSettings**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -413,17 +280,11 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
+This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -439,32 +300,14 @@ ADMX Info:
**ADMX_FileSys/SymlinkEvaluation**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -479,7 +322,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links:
+Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links:
- Local Link to a Local Target
- Local Link to a Remote Target
@@ -492,12 +335,6 @@ For more information, refer to the Windows Help section.
> If this policy is disabled or not configured, local administrators may select the types of symbolic links to be evaluated.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -512,32 +349,14 @@ ADMX Info:
**ADMX_FileSys/TxfDeprecatedFunctionality**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -552,15 +371,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs.
+TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -573,8 +387,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
index ed28fb4638..ef3ba9dc71 100644
--- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md
+++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
@@ -13,14 +13,19 @@ manager: dansimp
---
# Policy CSP - ADMX_FolderRedirection
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_FolderRedirection policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -91,7 +78,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default.
+This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default.
If you enable this policy setting, users must manually select the files they wish to make available offline.
@@ -105,12 +92,6 @@ If you disable or do not configure this policy setting, redirected shell folders
> If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline".
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -126,32 +107,14 @@ ADMX Info:
**ADMX_FolderRedirection/DisableFRAdminPinByFolder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -166,7 +129,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether individual redirected shell folders are available offline by default.
+This policy setting allows you to control whether individual redirected shell folders are available offline by default.
For the folders affected by this setting, users must manually select the files they wish to make available offline.
@@ -178,12 +141,6 @@ If you disable or do not configure this policy setting, all redirected shell fol
> The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline".
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -200,32 +157,14 @@ ADMX Info:
**ADMX_FolderRedirection/FolderRedirectionEnableCacheRename**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -240,19 +179,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location.
+This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location.
If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location.
If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -269,32 +202,14 @@ ADMX Info:
**ADMX_FolderRedirection/LocalizeXPRelativePaths_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -309,7 +224,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
+This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder.
@@ -319,12 +234,6 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W
> This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -341,32 +250,14 @@ ADMX Info:
**ADMX_FolderRedirection/LocalizeXPRelativePaths_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -381,7 +272,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
+This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder.
@@ -391,12 +282,6 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W
> This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -412,32 +297,14 @@ ADMX Info:
**ADMX_FolderRedirection/PrimaryComputer_FR_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -452,7 +319,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
+This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.
@@ -464,12 +331,6 @@ If you disable or do not configure this policy setting and the user has redirect
> If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -485,32 +346,14 @@ ADMX Info:
**ADMX_FolderRedirection/PrimaryComputer_FR_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -525,7 +368,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
+This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.
@@ -537,12 +380,7 @@ If you disable or do not configure this policy setting and the user has redirect
> If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -555,8 +393,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md
index b6c506ddd9..11e25bde64 100644
--- a/windows/client-management/mdm/policy-csp-admx-framepanes.md
+++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md
@@ -13,9 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_FramePanes
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -35,38 +39,14 @@ manager: dansimp
**ADMX_FramePanes/NoReadingPane**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -94,13 +74,7 @@ This policy setting shows or hides the Details Pane in File Explorer.
This is the default policy setting.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -116,38 +90,14 @@ ADMX Info:
**ADMX_FramePanes/NoPreviewPane**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -169,12 +119,6 @@ Hides the Preview Pane in File Explorer.
- If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -186,8 +130,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md
index 8790ac9ad7..3cf5694548 100644
--- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md
+++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_FTHSVC
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -33,38 +38,14 @@ manager: dansimp
**ADMX_FTHSVC/WdiScenarioExecutionPolicy**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -91,12 +72,6 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
No system restart or service restart is required for this policy setting to take effect: changes take effect immediately.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -110,7 +85,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md
index 857ff5d89f..e33386dc04 100644
--- a/windows/client-management/mdm/policy-csp-admx-globalization.md
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@@ -13,14 +13,19 @@ manager: dansimp
---
# Policy CSP - ADMX_Globalization
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_Globalization policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -143,7 +130,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account.
+This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account.
Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt.
@@ -152,12 +139,7 @@ If the policy is Enabled, then the user will get input methods enabled for the s
If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -174,32 +156,14 @@ ADMX Info:
**ADMX_Globalization/CustomLocalesNoSelect_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -214,7 +178,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.
+This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.
This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.
@@ -229,12 +193,6 @@ If this policy setting is enabled at the machine level, it cannot be disabled by
To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -251,32 +209,14 @@ ADMX Info:
**ADMX_Globalization/CustomLocalesNoSelect_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -291,7 +231,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.
+This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.
This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.
@@ -306,12 +246,6 @@ If this policy setting is enabled at the machine level, it cannot be disabled by
To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -328,32 +262,14 @@ ADMX Info:
**ADMX_Globalization/HideAdminOptions**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -368,7 +284,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Administrative options from the Region settings control panel.
+This policy setting removes the Administrative options from the Region settings control panel.
Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically.
@@ -383,12 +299,6 @@ If you disable or do not configure this policy setting, the user can see the Adm
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -405,32 +315,14 @@ ADMX Info:
**ADMX_Globalization/HideCurrentLocation**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -445,7 +337,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel.
+This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel.
This policy setting is used only to simplify the Regional Options control panel.
@@ -457,12 +349,6 @@ If you disable or do not configure this policy setting, the user sees the option
> Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -479,32 +365,14 @@ ADMX Info:
**ADMX_Globalization/HideLanguageSelection**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -519,7 +387,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel.
+This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel.
This policy setting is used only to simplify the Regional Options control panel.
@@ -530,12 +398,6 @@ If you enable this policy setting, the user does not see the option for changing
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -552,32 +414,14 @@ ADMX Info:
**ADMX_Globalization/HideLocaleSelectAndCustomize**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -592,7 +436,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the regional formats interface from the Region settings control panel.
+This policy setting removes the regional formats interface from the Region settings control panel.
This policy setting is used only to simplify the Regional and Language Options control panel.
@@ -601,12 +445,6 @@ If you enable this policy setting, the user does not see the regional formats op
If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -623,32 +461,14 @@ ADMX Info:
**ADMX_Globalization/ImplicitDataCollectionOff_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -663,7 +483,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization.
+This policy setting turns off the automatic learning component of handwriting recognition personalization.
Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored.
@@ -684,12 +504,6 @@ This policy setting is related to the "Turn off handwriting personalization" pol
> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -706,32 +520,14 @@ ADMX Info:
**ADMX_Globalization/ImplicitDataCollectionOff_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -746,7 +542,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization.
+This policy setting turns off the automatic learning component of handwriting recognition personalization.
Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored.
@@ -767,12 +563,6 @@ This policy setting is related to the "Turn off handwriting personalization" pol
> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -789,32 +579,14 @@ ADMX Info:
**ADMX_Globalization/LocaleSystemRestrict**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -829,7 +601,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
+This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
@@ -838,12 +610,6 @@ If you enable this policy setting, administrators can select a system locale onl
If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -860,32 +626,14 @@ ADMX Info:
**ADMX_Globalization/LocaleUserRestrict_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -900,7 +648,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.
+This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.
To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting.
@@ -911,12 +659,6 @@ If you enable this policy setting, only locales in the specified locale list can
If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -933,32 +675,14 @@ ADMX Info:
**ADMX_Globalization/LocaleUserRestrict_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -973,7 +697,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.
+This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.
To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting.
@@ -986,12 +710,6 @@ If you disable or do not configure this policy setting, users can select any loc
If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1008,32 +726,14 @@ ADMX Info:
**ADMX_Globalization/LockMachineUILanguage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1048,7 +748,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for all users.
+This policy setting restricts the Windows UI language for all users.
This is a policy setting for computers with more than one UI language installed.
@@ -1057,12 +757,6 @@ If you enable this policy setting, the UI language of Windows menus and dialogs
If you disable or do not configure this policy setting, the user can specify which UI language is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1079,32 +773,14 @@ ADMX Info:
**ADMX_Globalization/LockUserUILanguage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1119,7 +795,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for specific users.
+This policy setting restricts the Windows UI language for specific users.
This policy setting applies to computers with more than one UI language installed.
@@ -1130,12 +806,6 @@ If you disable or do not configure this policy setting, there is no restriction
To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1152,32 +822,14 @@ ADMX Info:
**ADMX_Globalization/PreventGeoIdChange_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1192,7 +844,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID).
+This policy setting prevents users from changing their user geographical location (GeoID).
If you enable this policy setting, users cannot change their GeoID.
@@ -1203,12 +855,6 @@ If you enable this policy setting at the computer level, it cannot be disabled b
To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1225,32 +871,14 @@ ADMX Info:
**ADMX_Globalization/PreventGeoIdChange_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1265,7 +893,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID).
+This policy setting prevents users from changing their user geographical location (GeoID).
If you enable this policy setting, users cannot change their GeoID.
@@ -1276,12 +904,6 @@ If you enable this policy setting at the computer level, it cannot be disabled b
To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1298,32 +920,14 @@ ADMX Info:
**ADMX_Globalization/PreventUserOverrides_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1338,7 +942,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides.
+This policy setting prevents the user from customizing their locale by changing their user overrides.
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
@@ -1353,12 +957,6 @@ If this policy is set to Enabled at the computer level, then it cannot be disabl
To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1375,32 +973,14 @@ ADMX Info:
**ADMX_Globalization/PreventUserOverrides_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1415,7 +995,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides.
+This policy setting prevents the user from customizing their locale by changing their user overrides.
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
@@ -1430,12 +1010,6 @@ If this policy is set to Enabled at the computer level, then it cannot be disabl
To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1452,32 +1026,14 @@ ADMX Info:
**ADMX_Globalization/RestrictUILangSelect**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1492,7 +1048,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English.
+This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English.
If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used.
@@ -1501,12 +1057,6 @@ To enable this policy setting in Windows Vista, use the "Restricts the UI langua
If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1523,32 +1073,14 @@ ADMX Info:
**ADMX_Globalization/TurnOffAutocorrectMisspelledWords**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1563,7 +1095,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically.
+This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically.
The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected.
@@ -1573,12 +1105,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang
Note that the availability and function of this setting is dependent on supported languages being enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1595,32 +1121,14 @@ ADMX Info:
**ADMX_Globalization/TurnOffHighlightMisspelledWords**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1635,7 +1143,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically.
+This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically.
The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted.
@@ -1646,12 +1154,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang
Note that the availability and function of this setting is dependent on supported languages being enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1668,32 +1170,14 @@ ADMX Info:
**ADMX_Globalization/TurnOffInsertSpace**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1708,7 +1192,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically.
+This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically.
The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard.
@@ -1718,12 +1202,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang
Note that the availability and function of this setting is dependent on supported languages being enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1740,32 +1218,14 @@ ADMX Info:
**ADMX_Globalization/TurnOffOfferTextPredictions**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1780,7 +1240,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically.
+This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically.
The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard.
@@ -1791,12 +1251,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang
Note that the availability and function of this setting is dependent on supported languages being enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1813,32 +1267,14 @@ ADMX Info:
**ADMX_Globalization/Y2K**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1853,7 +1289,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how programs interpret two-digit years.
+This policy setting determines how programs interpret two-digit years.
This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program.
@@ -1864,12 +1300,6 @@ For example, the default value, 2029, specifies that all two-digit years less th
If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1882,7 +1312,4 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
index cbb70f971a..c48c954fb7 100644
--- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_GroupPolicy
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -160,32 +164,14 @@ manager: dansimp
**ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -195,12 +181,13 @@ manager: dansimp
> [!div class = "checklist"]
> * Device
+> * User
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests.
+This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests.
This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists.
@@ -216,12 +203,7 @@ If you enable this policy setting, the behavior is exactly the same as in Window
If you disable this policy setting, the behavior is the same as if it is not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -238,32 +220,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_AppMgmt**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -278,7 +242,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when software installation policies are updated.
+This policy setting determines when software installation policies are updated.
This policy setting affects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory, not for Group Policy Objects on the local computer.
@@ -291,12 +255,7 @@ The "Allow processing across a slow network connection" option updates the polic
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -313,32 +272,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_DiskQuota**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -353,7 +294,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when disk quota policies are updated.
+This policy setting determines when disk quota policies are updated.
This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas.
@@ -368,12 +309,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -390,32 +326,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_EFSRecovery**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -430,7 +348,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when encryption policies are updated.
+This policy setting determines when encryption policies are updated.
This policy setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings.
@@ -445,12 +363,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -467,32 +380,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_FolderRedirection**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -507,7 +402,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when folder redirection policies are updated.
+This policy setting determines when folder redirection policies are updated.
This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer.
@@ -520,12 +415,7 @@ The "Allow processing across a slow network connection" option updates the polic
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -542,32 +432,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_IEM**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -582,7 +454,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when Internet Explorer Maintenance policies are updated.
+This policy setting determines when Internet Explorer Maintenance policies are updated.
This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance.
@@ -597,12 +469,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -619,32 +486,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_IPSecurity**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -659,7 +508,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when IP security policies are updated.
+This policy setting determines when IP security policies are updated.
This policy setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Machine.
@@ -674,12 +523,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -696,32 +540,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_Registry**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -736,7 +562,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when registry policies are updated.
+This policy setting determines when registry policies are updated.
This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed.
@@ -747,12 +573,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -769,32 +590,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_Scripts**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -809,7 +612,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign shared scripts are updated.
+This policy setting determines when policies that assign shared scripts are updated.
This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed.
@@ -822,12 +625,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -844,32 +642,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_Security**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -884,7 +664,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when security policies are updated.
+This policy setting determines when security policies are updated.
This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings.
@@ -897,12 +677,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -919,32 +694,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_Wired**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -959,7 +716,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wired network settings are updated.
+This policy setting determines when policies that assign wired network settings are updated.
This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies.
@@ -976,12 +733,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -998,32 +750,14 @@ ADMX Info:
**ADMX_GroupPolicy/CSE_Wireless**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1038,7 +772,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wireless network settings are updated.
+This policy setting determines when policies that assign wireless network settings are updated.
This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies.
@@ -1055,12 +789,7 @@ The "Do not apply during periodic background processing" option prevents the sys
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1077,32 +806,14 @@ ADMX Info:
**ADMX_GroupPolicy/CorpConnSyncWaitTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1117,19 +828,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
+This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time.
If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1146,32 +852,14 @@ ADMX Info:
**ADMX_GroupPolicy/DenyRsopToInteractiveUser_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1186,7 +874,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.
+This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.
By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.
@@ -1202,12 +890,7 @@ If you disable or do not configure this policy setting, interactive users can ge
> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1224,32 +907,14 @@ ADMX Info:
**ADMX_GroupPolicy/DenyRsopToInteractiveUser_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1264,7 +929,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.
+This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.
By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.
@@ -1280,12 +945,7 @@ If you disable or do not configure this policy setting, interactive users can ge
> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1302,32 +962,14 @@ ADMX Info:
**ADMX_GroupPolicy/DisableAOACProcessing**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1342,15 +984,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the Group Policy Client Service from stopping when idle.
+This policy setting prevents the Group Policy Client Service from stopping when idle.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1367,32 +1004,14 @@ ADMX Info:
**ADMX_GroupPolicy/DisableAutoADMUpdate**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1407,7 +1026,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor.
+Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor.
Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC.
@@ -1425,12 +1044,7 @@ Files will always be copied to the GPO if they have a later timestamp.
> If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1447,32 +1061,14 @@ ADMX Info:
**ADMX_GroupPolicy/DisableBackgroundPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1487,7 +1083,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers.
+This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers.
If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings.
@@ -1497,12 +1093,7 @@ If you disable or do not configure this policy setting, updates can be applied w
> If you make changes to this policy setting, you must restart your computer for it to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1519,32 +1110,14 @@ ADMX Info:
**ADMX_GroupPolicy/DisableLGPOProcessing**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1559,7 +1132,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied.
+This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied.
By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied.
@@ -1571,12 +1144,7 @@ If you disable or do not configure this policy setting, Local GPOs continue to b
> For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1593,32 +1161,14 @@ ADMX Info:
**ADMX_GroupPolicy/DisableUsersFromMachGP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1633,13 +1183,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control a user's ability to invoke a computer policy refresh.
+This policy setting allows you to control a user's ability to invoke a computer policy refresh.
If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs.
If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user.
-Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured.
+> [!NOTE]
+> This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured.
Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy refresh interval.
@@ -1647,12 +1198,7 @@ Also, see the "Set Group Policy refresh interval for computers" policy setting t
> If you make changes to this policy setting, you must restart your computer for it to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1669,32 +1215,14 @@ ADMX Info:
**ADMX_GroupPolicy/EnableCDP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1709,7 +1237,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).
+This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).
If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences.
@@ -1718,12 +1246,7 @@ If you disable this policy setting, the Windows device is not discoverable by ot
If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1740,32 +1263,14 @@ ADMX Info:
**ADMX_GroupPolicy/EnableLogonOptimization**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1780,7 +1285,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior.
+This policy setting allows you to configure Group Policy caching behavior.
If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
@@ -1791,12 +1296,7 @@ The timeout value that is defined in this policy setting determines how long Gro
If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1813,32 +1313,14 @@ ADMX Info:
**ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1853,7 +1335,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior on Windows Server machines.
+This policy setting allows you to configure Group Policy caching behavior on Windows Server machines.
If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
@@ -1864,12 +1346,7 @@ The timeout value that is defined in this policy setting determines how long Gro
If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1886,32 +1363,14 @@ ADMX Info:
**ADMX_GroupPolicy/EnableMMX**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1926,7 +1385,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC.
+This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC.
If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences.
@@ -1935,12 +1394,7 @@ If you disable this policy setting, the Windows device is not allowed to be link
If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1957,32 +1411,14 @@ ADMX Info:
**ADMX_GroupPolicy/EnforcePoliciesOnly**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1997,7 +1433,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents administrators from viewing or using Group Policy preferences.
+This policy setting prevents administrators from viewing or using Group Policy preferences.
A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys.
@@ -2011,12 +1447,7 @@ If you disable or do not configure this policy setting, the "Show Policies Only"
In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2033,32 +1464,14 @@ ADMX Info:
**ADMX_GroupPolicy/FontMitigation**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2073,17 +1486,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory.
+This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory.
This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2100,32 +1508,14 @@ ADMX Info:
**ADMX_GroupPolicy/GPDCOptions**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2140,7 +1530,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines which domain controller the Group Policy Object Editor snap-in uses.
+This policy setting determines which domain controller the Group Policy Object Editor snap-in uses.
If you enable this setting, you can which domain controller is used according to these options:
@@ -2156,12 +1546,7 @@ If you disable this setting or do not configure it, the Group Policy Object Edit
> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2178,32 +1563,14 @@ ADMX Info:
**ADMX_GroupPolicy/GPTransferRate_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2218,7 +1585,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy.
+This policy setting defines a slow connection for purposes of applying and updating Group Policy.
If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow.
@@ -2230,15 +1597,13 @@ If you disable this setting or do not configure it, the system uses the default
This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
-Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
+Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile.
+
+> [!NOTE]
+> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2255,32 +1620,14 @@ ADMX Info:
**ADMX_GroupPolicy/GPTransferRate_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2295,7 +1642,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy.
+This policy setting defines a slow connection for purposes of applying and updating Group Policy.
If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow.
@@ -2307,15 +1654,13 @@ If you disable this setting or do not configure it, the system uses the default
This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
-Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
+Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile.
+
+> [!NOTE]
+> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2332,32 +1677,14 @@ ADMX Info:
**ADMX_GroupPolicy/GroupPolicyRefreshRate**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2372,7 +1699,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder.
+This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder.
In addition to background updates, Group Policy for the computer is always updated when the system starts.
@@ -2392,12 +1719,7 @@ This setting is only used when the "Turn off background refresh of Group Policy"
> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2414,32 +1736,14 @@ ADMX Info:
**ADMX_GroupPolicy/GroupPolicyRefreshRateDC**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2454,7 +1758,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.
+This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.
By default, Group Policy on the domain controllers is updated every five minutes.
@@ -2468,12 +1772,7 @@ This setting also lets you specify how much the actual update interval varies. T
> This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2490,32 +1789,14 @@ ADMX Info:
**ADMX_GroupPolicy/GroupPolicyRefreshRateUser**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2530,7 +1811,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder.
+This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder.
In addition to background updates, Group Policy for users is always updated when users log on.
@@ -2552,12 +1833,7 @@ This setting also lets you specify how much the actual update interval varies. T
> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2574,32 +1850,14 @@ ADMX Info:
**ADMX_GroupPolicy/LogonScriptDelay**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2614,7 +1872,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Enter “0” to disable Logon Script Delay.
+Enter “0” to disable Logon Script Delay.
This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts.
@@ -2627,12 +1885,7 @@ If you disable this policy setting, Group Policy will run scripts immediately af
If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2649,32 +1902,14 @@ ADMX Info:
**ADMX_GroupPolicy/NewGPODisplayName**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2689,7 +1924,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default display name for new Group Policy objects.
+This policy setting allows you to set the default display name for new Group Policy objects.
This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser.
@@ -2698,12 +1933,7 @@ The display name can contain environment variables and can be a maximum of 255 c
If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2720,32 +1950,14 @@ ADMX Info:
**ADMX_GroupPolicy/NewGPOLinksDisabled**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2760,19 +1972,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create new Group Policy object links in the disabled state.
+This policy setting allows you to create new Group Policy object links in the disabled state.
If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system.
If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2789,32 +1996,14 @@ ADMX Info:
**ADMX_GroupPolicy/OnlyUseLocalAdminFiles**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2829,7 +2018,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you always use local ADM files for the Group Policy snap-in.
+This policy setting lets you always use local ADM files for the Group Policy snap-in.
By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO.
@@ -2853,12 +2042,7 @@ If you disable or do not configure this setting, the Group Policy Object Editor
> If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2875,32 +2059,14 @@ ADMX Info:
**ADMX_GroupPolicy/ProcessMitigationOptions**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2916,7 +2082,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are:
+This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are:
PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)
Enables data execution prevention (DEP) for the child process
@@ -2940,12 +2106,7 @@ For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCES
Setting flags not specified here to any value other than ? results in undefined behavior.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2962,32 +2123,14 @@ ADMX Info:
**ADMX_GroupPolicy/RSoPLogging**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3002,7 +2145,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer.
+This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer.
RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included.
@@ -3014,12 +2157,7 @@ If you disable or do not configure this setting, RSoP logging is turned on. By d
> To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3036,32 +2174,14 @@ ADMX Info:
**ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3076,15 +2196,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory.
+Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3101,32 +2216,14 @@ ADMX Info:
**ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3141,7 +2238,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy.
+This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy.
When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined.
@@ -3153,12 +2250,7 @@ If you enable this policy, when Group Policy cannot determine the bandwidth spee
If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3175,32 +2267,14 @@ ADMX Info:
**ADMX_GroupPolicy/SlowlinkDefaultToAsync**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3215,7 +2289,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected.
+This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected.
If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner.
Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials,
@@ -3232,12 +2306,7 @@ and Drive Maps preference extension will not be applied.
If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3254,32 +2323,14 @@ ADMX Info:
**ADMX_GroupPolicy/SyncWaitTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3294,19 +2345,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
+This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time.
If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3323,32 +2369,14 @@ ADMX Info:
**ADMX_GroupPolicy/UserPolicyMode**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3363,7 +2391,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
+This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
@@ -3379,12 +2407,7 @@ If you disable this setting or do not configure it, the user's Group Policy Obje
> This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3397,6 +2420,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md
index fcdb9696af..910d8eb41d 100644
--- a/windows/client-management/mdm/policy-csp-admx-help.md
+++ b/windows/client-management/mdm/policy-csp-admx-help.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Help
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -43,32 +47,14 @@ manager: dansimp
**ADMX_Help/DisableHHDEP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -83,7 +69,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention.
+This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention.
Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely.
@@ -92,12 +78,7 @@ If you enable this policy setting, DEP for HTML Help Executable is turned off. T
If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTML Help stops if DEP detects system memory abnormalities.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -114,32 +95,14 @@ ADMX Info:
**ADMX_Help/HelpQualifiedRootDir_Comp**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -154,7 +117,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting.
+This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting.
If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders.
@@ -175,12 +138,7 @@ If you disable or do not configure this policy setting, these commands are fully
For additional options, see the "Restrict these programs from being launched from Help" policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -197,32 +155,14 @@ ADMX Info:
**ADMX_Help/RestrictRunFromHelp**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -237,7 +177,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help.
+This policy setting allows you to restrict programs from being run from online Help.
If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas.
@@ -249,12 +189,7 @@ If you disable or do not configure this policy setting, users can run all applic
> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -271,32 +206,14 @@ ADMX Info:
**ADMX_Help/RestrictRunFromHelp_Comp**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -311,7 +228,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help.
+This policy setting allows you to restrict programs from being run from online Help.
If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas.
@@ -322,12 +239,7 @@ If you disable or do not configure this policy setting, users can run all applic
>
> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -340,8 +252,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
index 15a6785034..ee1c066857 100644
--- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
+++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_HelpAndSupport
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -43,32 +47,14 @@ manager: dansimp
**ADMX_HelpAndSupport/ActiveHelp**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -83,19 +69,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.
+This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.
If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements.
If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -112,32 +93,14 @@ ADMX Info:
**ADMX_HelpAndSupport/HPExplicitFeedback**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -152,7 +115,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can provide ratings for Help content.
+This policy setting specifies whether users can provide ratings for Help content.
If you enable this policy setting, ratings controls are not added to Help content.
@@ -161,12 +124,7 @@ If you disable or do not configure this policy setting, ratings controls are add
Users can use the control to provide feedback on the quality and usefulness of the Help and Support content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -182,32 +140,14 @@ ADMX Info:
**ADMX_HelpAndSupport/HPImplicitFeedback**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -222,19 +162,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it.
+This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it.
If you enable this policy setting, users cannot participate in the Help Experience Improvement program.
If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -251,32 +186,14 @@ ADMX Info:
**ADMX_HelpAndSupport/HPOnlineAssistance**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -291,19 +208,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows.
+This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows.
If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online.
If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -316,8 +228,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
index 17e85306fc..bf33f5110d 100644
--- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
+++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_HotSpotAuth
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -33,38 +38,14 @@ manager: dansimp
**ADMX_HotSpotAuth/HotspotAuth_Enable**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -90,12 +71,6 @@ This policy setting defines whether WLAN hotspots are probed for Wireless Intern
- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -109,7 +84,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md
index eecfadc85d..9a09f8f2fa 100644
--- a/windows/client-management/mdm/policy-csp-admx-icm.md
+++ b/windows/client-management/mdm/policy-csp-admx-icm.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_ICM
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -109,32 +113,14 @@ manager: dansimp
**ADMX_ICM/CEIPEnable**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -149,7 +135,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly.
+This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly.
If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program.
@@ -158,12 +144,7 @@ If you disable this policy setting, all users are opted into the Windows Custome
If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -180,32 +161,14 @@ ADMX Info:
**ADMX_ICM/CertMgr_DisableAutoRootUpdates**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -220,7 +183,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to automatically update root certificates using the Windows Update website.
+This policy setting specifies whether to automatically update root certificates using the Windows Update website.
Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.
@@ -229,12 +192,7 @@ If you enable this policy setting, when you are presented with a certificate iss
If you disable or do not configure this policy setting, your computer will contact the Windows Update website.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -251,32 +209,14 @@ ADMX Info:
**ADMX_ICM/DisableHTTPPrinting_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -291,7 +231,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow printing over HTTP from this client.
+This policy setting specifies whether to allow printing over HTTP from this client.
Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
@@ -303,12 +243,7 @@ If you enable this policy setting, it prevents this client from printing to Inte
If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -325,32 +260,14 @@ ADMX Info:
**ADMX_ICM/DisableWebPnPDownload_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -365,7 +282,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow this client to download print driver packages over HTTP.
+This policy setting specifies whether to allow this client to download print driver packages over HTTP.
To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
@@ -379,12 +296,7 @@ If you enable this policy setting, print drivers cannot be downloaded over HTTP.
If you disable or do not configure this policy setting, users can download print drivers over HTTP.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -401,32 +313,14 @@ ADMX Info:
**ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -441,7 +335,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present.
+This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present.
If you enable this policy setting, Windows Update is not searched when a new device is installed.
@@ -455,12 +349,7 @@ Also see "Turn off Windows Update device driver search prompt" in "Administrativ
> This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -477,32 +366,14 @@ ADMX Info:
**ADMX_ICM/EventViewer_DisableLinks**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -517,7 +388,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application.
+This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application.
The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred.
@@ -528,12 +399,7 @@ If you disable or do not configure this policy setting, the user can click the h
Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer".
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -550,32 +416,14 @@ ADMX Info:
**ADMX_ICM/HSS_HeadlinesPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -590,7 +438,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to show the "Did you know?" section of Help and Support Center.
+This policy setting specifies whether to show the "Did you know?" section of Help and Support Center.
This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer.
@@ -601,12 +449,7 @@ If you disable or do not configure this policy setting, the Help and Support Cen
You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -623,32 +466,14 @@ ADMX Info:
**ADMX_ICM/HSS_KBSearchPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -663,7 +488,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center.
+This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center.
The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options.
@@ -672,12 +497,7 @@ If you enable this policy setting, it removes the Knowledge Base section from th
If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -694,32 +514,14 @@ ADMX Info:
**ADMX_ICM/InternetManagement_RestrictCommunication_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -734,7 +536,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
+This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
@@ -743,12 +545,7 @@ If you disable this policy setting, all of the the policy settings listed in the
If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -765,32 +562,14 @@ ADMX Info:
**ADMX_ICM/InternetManagement_RestrictCommunication_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -805,7 +584,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
+This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
@@ -813,12 +592,7 @@ If you disable this policy setting, all of the the policy settings listed in the
If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -835,32 +609,14 @@ ADMX Info:
**ADMX_ICM/NC_ExitOnISP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -875,19 +631,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs).
+This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs).
If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers.
If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -904,32 +655,14 @@ ADMX Info:
**ADMX_ICM/NC_NoRegistration**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -944,7 +677,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.
+This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.
If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online.
@@ -953,12 +686,7 @@ If you disable or do not configure this policy setting, users can connect to Mic
Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -975,32 +703,14 @@ ADMX Info:
**ADMX_ICM/PCH_DoNotReport**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1015,7 +725,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not errors are reported to Microsoft.
+This policy setting controls whether or not errors are reported to Microsoft.
Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.
@@ -1028,12 +738,7 @@ This policy setting overrides any user setting made from the Control Panel for e
Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1050,32 +755,14 @@ ADMX Info:
**ADMX_ICM/RemoveWindowsUpdate_ICM**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1090,7 +777,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to Windows Update.
+This policy setting allows you to remove access to Windows Update.
If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website.
@@ -1100,12 +787,7 @@ If you disable or do not configure this policy setting, users can access the Win
> This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1122,32 +804,14 @@ ADMX Info:
**ADMX_ICM/SearchCompanion_DisableFileUpdates**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1162,7 +826,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches.
+This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches.
When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results.
@@ -1174,12 +838,7 @@ If you disable or do not configure this policy setting, Search Companion downloa
> Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1196,32 +855,14 @@ ADMX Info:
**ADMX_ICM/ShellNoUseInternetOpenWith_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1236,7 +877,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.
+This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.
When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application.
@@ -1245,12 +886,7 @@ If you enable this policy setting, the link and the dialog for using the Web ser
If you disable or do not configure this policy setting, the user is allowed to use the Web service.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1267,32 +903,14 @@ ADMX Info:
**ADMX_ICM/ShellNoUseInternetOpenWith_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1307,7 +925,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.
+This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.
When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application.
@@ -1316,12 +934,7 @@ If you enable this policy setting, the link and the dialog for using the Web ser
If you disable or do not configure this policy setting, the user is allowed to use the Web service.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1338,32 +951,14 @@ ADMX Info:
**ADMX_ICM/ShellNoUseStoreOpenWith_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1378,7 +973,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association.
+This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association.
When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
@@ -1387,12 +982,7 @@ If you enable this policy setting, the "Look for an app in the Store" item in th
If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1409,32 +999,14 @@ ADMX Info:
**ADMX_ICM/ShellNoUseStoreOpenWith_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1449,7 +1021,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association.
+This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association.
When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
@@ -1458,12 +1030,7 @@ If you enable this policy setting, the "Look for an app in the Store" item in th
If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1480,32 +1047,14 @@ ADMX Info:
**ADMX_ICM/ShellPreventWPWDownload_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1520,7 +1069,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
+This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.
@@ -1529,12 +1078,7 @@ If you disable or do not configure this policy setting, a list of providers are
See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1551,32 +1095,14 @@ ADMX Info:
**ADMX_ICM/ShellRemoveOrderPrints_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1591,19 +1117,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
+This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.
If you disable or do not configure this policy setting, the task is displayed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1620,32 +1141,14 @@ ADMX Info:
**ADMX_ICM/ShellRemoveOrderPrints_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1660,7 +1163,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
+This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.
@@ -1669,12 +1172,7 @@ If you enable this policy setting, the task "Order Prints Online" is removed fro
If you disable or do not configure this policy setting, the task is displayed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1691,32 +1189,14 @@ ADMX Info:
**ADMX_ICM/ShellRemovePublishToWeb_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1731,19 +1211,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.
+This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.
The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.
If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or do not configure this policy setting, the tasks are shown.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1760,32 +1235,14 @@ ADMX Info:
**ADMX_ICM/ShellRemovePublishToWeb_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1800,7 +1257,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.
+This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.
The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.
@@ -1809,12 +1266,7 @@ If you enable this policy setting, these tasks are removed from the File and Fol
If you disable or do not configure this policy setting, the tasks are shown.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1831,32 +1283,14 @@ ADMX Info:
**ADMX_ICM/WinMSG_NoInstrumentation_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1871,7 +1305,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.
+This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.
With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used.
@@ -1882,12 +1316,7 @@ If you enable this policy setting, Windows Messenger does not collect usage info
If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. If you do not configure this policy setting, users have the choice to opt in and allow information to be collected.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1904,32 +1333,14 @@ ADMX Info:
**ADMX_ICM/WinMSG_NoInstrumentation_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1944,7 +1355,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.
+This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.
With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used.
@@ -1957,12 +1368,7 @@ If you disable this policy setting, Windows Messenger collects anonymous usage i
If you do not configure this policy setting, users have the choice to opt in and allow information to be collected.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1975,8 +1381,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md
index 7516b56b97..addcae962e 100644
--- a/windows/client-management/mdm/policy-csp-admx-iis.md
+++ b/windows/client-management/mdm/policy-csp-admx-iis.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_IIS
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -33,38 +38,14 @@ manager: dansimp
**ADMX_IIS/PreventIISInstall**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -88,12 +69,7 @@ Enabling this setting will not have any effect on IIS if IIS is already installe
- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -107,7 +83,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md
new file mode 100644
index 0000000000..635700efc1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md
@@ -0,0 +1,177 @@
+---
+title: Policy CSP - ADMX_iSCSI
+description: Policy CSP - ADMX_iSCSI
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/17/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_iSCSI
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_iSCSI policies
+
+
+
+
+
+
+
+**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed.
+
+If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed.
+
+
+
+
+
+ADMX Info:
+- GP English name: *Do not allow manual configuration of iSNS servers*
+- GP name: *iSCSIGeneral_RestrictAdditionalLogins*
+- GP path: *System\iSCSI\iSCSI Target Discovery*
+- GP ADMX file name: *iSCSI.admx*
+
+
+
+
+
+
+**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed.
+
+If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed.
+
+
+
+
+ADMX Info:
+- GP English name: *Do not allow manual configuration of target portals*
+- GP name: *iSCSIGeneral_ChangeIQNName*
+- GP path: *System\iSCSI\iSCSI Target Discovery*
+- GP ADMX file name: *iSCSI.admx*
+
+
+
+
+
+
+**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+If enabled then do not allow the initiator CHAP secret to be changed.
+
+If disabled then the initiator CHAP secret may be changed.
+
+
+
+
+
+ADMX Info:
+- GP English name: *Do not allow changes to initiator CHAP secret*
+- GP name: *iSCSISecurity_ChangeCHAPSecret*
+- GP path: *System\iSCSI\iSCSI Security*
+- GP ADMX file name: *iSCSI.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md
index 76d11f5aa4..8dd5286694 100644
--- a/windows/client-management/mdm/policy-csp-admx-kdc.md
+++ b/windows/client-management/mdm/policy-csp-admx-kdc.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_kdc
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -49,32 +53,14 @@ manager: dansimp
**ADMX_kdc/CbacAndArmor**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -89,7 +75,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.
+This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.
If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
@@ -123,12 +109,7 @@ Impact on domain controller performance when this policy setting is enabled:
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -145,32 +126,14 @@ ADMX Info:
**ADMX_kdc/ForestSearch**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -185,7 +148,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).
+This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.
@@ -194,12 +157,7 @@ If you disable or do not configure this policy setting, the KDC will not search
To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -216,32 +174,14 @@ ADMX Info:
**ADMX_kdc/PKINITFreshness**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -256,7 +196,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied.
+Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied.
This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension.
@@ -269,12 +209,7 @@ Required: PKInit Freshness Extension is required for successful authentication.
If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -291,32 +226,14 @@ ADMX Info:
**ADMX_kdc/RequestCompoundId**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -331,7 +248,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to request compound authentication.
+This policy setting allows you to configure a domain controller to request compound authentication.
> [!NOTE]
> For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled.
@@ -341,12 +258,7 @@ If you enable this policy setting, domain controllers will request compound auth
If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -363,32 +275,14 @@ ADMX Info:
**ADMX_kdc/TicketSizeThreshold**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -403,19 +297,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log.
+This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log.
If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy.
If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -432,32 +321,14 @@ ADMX Info:
**ADMX_kdc/emitlili**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -472,7 +343,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the domain controller provides information about previous logons to client computers.
+This policy setting controls whether the domain controller provides information about previous logons to client computers.
If you enable this policy setting, the domain controller provides the information message about previous logons.
@@ -484,12 +355,7 @@ If you disable or do not configure this policy setting, the domain controller do
> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -502,8 +368,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md
index 0546c527b2..8148db9dd5 100644
--- a/windows/client-management/mdm/policy-csp-admx-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Kerberos
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -55,32 +59,14 @@ manager: dansimp
**ADMX_Kerberos/AlwaysSendCompoundId**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -95,7 +81,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity.
+This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity.
> [!NOTE]
> For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain.
@@ -105,12 +91,7 @@ If you enable this policy setting and the resource domain requests compound auth
If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -127,32 +108,14 @@ ADMX Info:
**ADMX_Kerberos/DevicePKInitEnabled**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -167,7 +130,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.
+Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.
This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.
@@ -181,12 +144,7 @@ If you disable this policy setting, certificates will never be used.
If you do not configure this policy setting, Automatic will be used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -203,32 +161,14 @@ ADMX Info:
**ADMX_Kerberos/HostToRealm**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -243,7 +183,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.
+This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.
If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
@@ -252,12 +192,7 @@ If you disable this policy setting, the host name-to-Kerberos realm mappings lis
If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -274,32 +209,14 @@ ADMX Info:
**ADMX_Kerberos/KdcProxyDisableServerRevocationCheck**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -314,7 +231,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.
+This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.
If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections.
Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid.
@@ -322,12 +239,7 @@ Warning: When revocation check is ignored, the server represented by the certifi
If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -344,32 +256,14 @@ ADMX Info:
**ADMX_Kerberos/KdcProxyServer**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -384,19 +278,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names.
+This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names.
If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -413,32 +302,14 @@ ADMX Info:
**ADMX_Kerberos/MitRealms**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -453,7 +324,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting.
+This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting.
If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
@@ -462,12 +333,7 @@ If you disable this policy setting, the interoperable Kerberos V5 realm settings
If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -484,32 +350,14 @@ ADMX Info:
**ADMX_Kerberos/ServerAcceptsCompound**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -524,7 +372,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls configuring the device's Active Directory account for compound authentication.
+This policy setting controls configuring the device's Active Directory account for compound authentication.
Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.
@@ -539,12 +387,7 @@ If you disable this policy setting, Never will be used.
If you do not configure this policy setting, Automatic will be used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -561,32 +404,14 @@ ADMX Info:
**ADMX_Kerberos/StrictTarget**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -601,19 +426,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN.
+This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN.
If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate.
If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -625,7 +445,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
index e8d00a28cb..18b9f6e543 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_LanmanServer
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -43,32 +47,14 @@ manager: dansimp
**ADMX_LanmanServer/Pol_CipherSuiteOrder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -83,7 +69,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB server.
+This policy setting determines the cipher suites used by the SMB server.
If you enable this policy setting, cipher suites are prioritized in the order specified.
@@ -106,12 +92,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
> When configuring this security setting, changes will not take effect until you restart Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -132,32 +113,14 @@ ADMX Info:
**ADMX_LanmanServer/Pol_HashPublication**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -172,7 +135,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed.
+This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed.
Policy configuration
@@ -189,12 +152,7 @@ In circumstances where this policy setting is enabled, you can also select the f
- Disallow hash publication on all shared folders. With this option, BranchCache does not generate content information for any shares on the computer and does not send content information to client computers that request content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -215,32 +173,14 @@ ADMX Info:
**ADMX_LanmanServer/Pol_HashSupportVersion**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -255,7 +195,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled.
+This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled.
If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.
@@ -276,12 +216,7 @@ Hash version supported:
- To support both V1 and V2 content information, configure "Hash version supported" with the value of 3.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -298,32 +233,14 @@ ADMX Info:
**ADMX_LanmanServer/Pol_HonorCipherSuiteOrder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -338,7 +255,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client.
+This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client.
If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences.
@@ -348,12 +265,7 @@ If you disable or do not configure this policy setting, the SMB server will sele
> When configuring this security setting, changes will not take effect until you restart Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -366,8 +278,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
index ac60e3f522..b574242c37 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_LanmanWorkstation
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -40,32 +44,14 @@ manager: dansimp
**ADMX_LanmanWorkstation/Pol_CipherSuiteOrder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -80,7 +66,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB client.
+This policy setting determines the cipher suites used by the SMB client.
If you enable this policy setting, cipher suites are prioritized in the order specified.
@@ -108,12 +94,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
> When configuring this security setting, changes will not take effect until you restart Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -130,32 +111,14 @@ ADMX Info:
**ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -170,7 +133,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
+This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files.
@@ -180,12 +143,7 @@ If you disable or do not configure this policy setting, Windows will prevent use
> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -202,32 +160,14 @@ ADMX Info:
**ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -242,7 +182,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
+This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible.
@@ -252,12 +192,7 @@ If you disable or do not configure this policy setting, Windows will prevent use
> Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -270,7 +205,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
index 23ab94d3d1..bfa3ffa66e 100644
--- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
@@ -13,9 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_LeakDiagnostic
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,38 +38,14 @@ manager: dansimp
**ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -96,12 +76,7 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -116,8 +91,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
index 146ad0388c..ccfb70864f 100644
--- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_LinkLayerTopologyDiscovery
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -37,32 +41,14 @@ manager: dansimp
**ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -77,7 +63,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Mapper I/O network protocol driver.
+This policy setting changes the operational behavior of the Mapper I/O network protocol driver.
LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis.
@@ -86,12 +72,7 @@ If you enable this policy setting, additional options are available to fine-tune
If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -108,32 +89,14 @@ ADMX Info:
**ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -148,7 +111,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Responder network protocol driver.
+This policy setting changes the operational behavior of the Responder network protocol driver.
The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis.
@@ -157,12 +120,7 @@ If you enable this policy setting, additional options are available to fine-tune
If you disable or do not configure this policy setting, the default behavior for the Responder will apply.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -175,8 +133,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
new file mode 100644
index 0000000000..9b40c8b242
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
@@ -0,0 +1,88 @@
+---
+title: Policy CSP - ADMX_LocationProviderAdm
+description: Policy CSP - ADMX_LocationProviderAdm
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.date: 09/20/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_LocationProviderAdm
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_LocationProviderAdm policies
+
+
+
+
+
+
+
+**ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+This policy setting turns off the Windows Location Provider feature for this computer.
+
+- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature.
+
+- If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Windows Location Provider*
+- GP name: *DisableWindowsLocationProvider_1*
+- GP path: *Windows Components\Location and Sensors\Windows Location Provider*
+- GP ADMX file name: *LocationProviderAdm.admx*
+
+
+
+
+
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md
index 68442eff39..442f1fc85b 100644
--- a/windows/client-management/mdm/policy-csp-admx-logon.md
+++ b/windows/client-management/mdm/policy-csp-admx-logon.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Logon
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -76,32 +80,14 @@ manager: dansimp
**ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -116,19 +102,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy prevents the user from showing account details (email address or user name) on the sign-in screen.
+This policy prevents the user from showing account details (email address or user name) on the sign-in screen.
If you enable this policy setting, the user cannot choose to show account details on the sign-in screen.
If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -145,32 +126,14 @@ ADMX Info:
**ADMX_Logon/DisableAcrylicBackgroundOnLogon**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -185,19 +148,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting disables the acrylic blur effect on logon background image.
+This policy setting disables the acrylic blur effect on logon background image.
If you enable this policy, the logon background image shows without blur.
If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -214,32 +172,14 @@ ADMX Info:
**ADMX_Logon/DisableExplorerRunLegacy_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -254,13 +194,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list.
+This policy setting ignores the customized run list.
-You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts.
-
-If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional.
-
-If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list.
+These programs are added to the standard run list of programs and services that the system starts.
This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
@@ -268,12 +204,7 @@ This policy setting appears in the Computer Configuration and User Configuration
> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -290,32 +221,14 @@ ADMX Info:
**ADMX_Logon/DisableExplorerRunLegacy_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -330,13 +243,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list.
+This policy setting ignores the customized run list.
-You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts.
-
-If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional.
-
-If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list.
+These programs are added to the standard run list of programs and services that the system starts.
This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
@@ -344,12 +253,7 @@ This policy setting appears in the Computer Configuration and User Configuration
> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -366,32 +270,14 @@ ADMX Info:
**ADMX_Logon/DisableExplorerRunOnceLegacy_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -406,7 +292,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists.
+This policy setting ignores customized run-once lists.
You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.
@@ -420,12 +306,7 @@ This policy setting appears in the Computer Configuration and User Configuration
> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -442,32 +323,14 @@ ADMX Info:
**ADMX_Logon/DisableExplorerRunOnceLegacy_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -482,7 +345,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists.
+This policy setting ignores customized run-once lists.
You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.
@@ -496,12 +359,7 @@ This policy setting appears in the Computer Configuration and User Configuration
> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -518,32 +376,14 @@ ADMX Info:
**ADMX_Logon/DisableStatusMessages**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -558,19 +398,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting suppresses system status messages.
+This policy setting suppresses system status messages.
If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off.
If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -587,32 +422,14 @@ ADMX Info:
**ADMX_Logon/DontEnumerateConnectedUsers**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -627,19 +444,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents connected users from being enumerated on domain-joined computers.
+This policy setting prevents connected users from being enumerated on domain-joined computers.
If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers.
If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -656,32 +468,14 @@ ADMX Info:
**ADMX_Logon/NoWelcomeTips_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -696,7 +490,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.
+This policy setting hides the welcome screen that is displayed on Windows each time the user logs on.
If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied.
@@ -704,7 +498,7 @@ Users can still display the welcome screen by selecting it on the Start menu or
If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer.
-This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server.
+This setting applies only to Windows. It does not affect the "Configure Your Server on a Windows Server" screen on Windows Server.
> [!NOTE]
> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
@@ -713,12 +507,7 @@ This setting applies only to Windows 2000 Professional. It does not affect the "
> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -736,32 +525,14 @@ ADMX Info:
**ADMX_Logon/NoWelcomeTips_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -776,13 +547,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.
+This policy setting hides the welcome screen that is displayed on Windows each time the user logs on.
If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied.
Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box.
-If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server.
+If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to Windows. It does not affect the "Configure Your Server on a Windows Server" screen on Windows Server.
> [!NOTE]
> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
@@ -791,12 +562,7 @@ If you disable or do not configure this policy, the welcome screen is displayed
> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -813,32 +579,14 @@ ADMX Info:
**ADMX_Logon/Run_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -853,7 +601,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.
+This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.
If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied.
@@ -867,12 +615,7 @@ If you disable or do not configure this policy setting, the user will have to st
Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -889,32 +632,14 @@ ADMX Info:
**ADMX_Logon/Run_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -929,7 +654,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.
+This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.
If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied.
@@ -944,12 +669,7 @@ Also, see the "Do not process the legacy run list" and the "Do not process the r
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -966,32 +686,14 @@ ADMX Info:
**ADMX_Logon/SyncForegroundPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1006,7 +708,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available.
+This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available.
Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected.
@@ -1031,12 +733,7 @@ If you disable or do not configure this policy setting and users log on to a cli
> - If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1053,32 +750,14 @@ ADMX Info:
**ADMX_Logon/UseOEMBackground**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1093,19 +772,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting ignores Windows Logon Background.
+This policy setting ignores Windows Logon Background.
This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background.
If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1122,32 +796,14 @@ ADMX Info:
**ADMX_Logon/VerboseStatus**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1162,7 +818,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to display highly detailed status messages.
+This policy setting directs the system to display highly detailed status messages.
This policy setting is designed for advanced users who require this information.
@@ -1174,12 +830,7 @@ If you disable or do not configure this policy setting, only the default status
> This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1192,8 +843,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index aa27ba10da..e4c7cf5345 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_MicrosoftDefenderAntivirus
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -310,32 +314,14 @@ manager: dansimp
**ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -350,19 +336,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance.
+This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance.
If you enable or do not configure this setting, the antimalware service will load as a normal priority task.
If you disable this setting, the antimalware service will load as a low priority task.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -379,32 +360,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -419,7 +382,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Microsoft Defender Antivirus.
+This policy setting turns off Microsoft Defender Antivirus.
If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.
@@ -430,12 +393,7 @@ If you do not configure this policy setting, Windows will internally manage Micr
Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -452,32 +410,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -492,24 +432,19 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.
+Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.
Disabled (Default):
-Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance.
+Microsoft Defender Antivirus will exclude pre-defined list of paths from the scan to improve performance.
Enabled:
-Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios.
+Microsoft Defender Antivirus will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios.
Not configured:
Same as Disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -526,32 +461,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -566,12 +483,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
+This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
Enabled – The Block at First Sight setting is turned on.
Disabled – The Block at First Sight setting is turned off.
-This feature requires these Group Policy settings to be set as follows:
+This feature requires these Policy settings to be set as follows:
- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function.
- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function.
@@ -579,12 +496,7 @@ This feature requires these Group Policy settings to be set as follows:
- Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -601,32 +513,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -641,19 +535,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions.
+This policy setting controls whether or not complex list settings configured by a local administrator are merged with Policy settings. This setting applies to lists such as threats and Exclusions.
-If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings.
+If you enable or do not configure this setting, unique items defined in Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Policy Settings will override preference settings.
-If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.
+If you disable this setting, only items defined by Policy will be used in the resulting effective policy. Policy settings will override preference settings configured by the local administrator.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -670,32 +559,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -710,7 +581,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off real-time protection prompts for known malware detection.
+This policy setting turns off real-time protection prompts for known malware detection.
Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer.
@@ -719,12 +590,7 @@ If you enable this policy setting, Microsoft Defender Antivirus will not prompt
If you disable or do not configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -741,32 +607,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -781,19 +629,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action.
+This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action.
If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat.
If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -810,32 +653,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -850,15 +675,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
+This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -875,32 +695,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -915,17 +717,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name.
+This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name.
As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -942,32 +739,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -982,15 +761,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
+This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1007,32 +781,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1047,7 +803,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Exclude files and paths from Attack Surface Reduction (ASR) rules.
+Exclude files and paths from Attack Surface Reduction (ASR) rules.
Enabled:
Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
@@ -1065,12 +821,7 @@ Same as Disabled.
You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1087,32 +838,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1127,7 +860,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Set the state for each Attack Surface Reduction (ASR) rule.
+Set the state for each Attack Surface Reduction (ASR) rule.
After enabling this setting, you can set each rule to the following in the Options section:
@@ -1161,12 +894,7 @@ Same as Disabled.
You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1183,32 +911,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1223,7 +933,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Add additional applications that should be considered "trusted" by controlled folder access.
+Add additional applications that should be considered "trusted" by controlled folder access.
These applications are allowed to modify or delete files in controlled folder access folders.
@@ -1243,12 +953,7 @@ You can enable controlled folder access in the Configure controlled folder acces
Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1265,32 +970,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1305,7 +992,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specify additional folders that should be guarded by the Controlled folder access feature.
+Specify additional folders that should be guarded by the Controlled folder access feature.
Files in these folders cannot be modified or deleted by untrusted applications.
@@ -1326,12 +1013,7 @@ You can enable controlled folder access in the Configure controlled folder acces
Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1348,32 +1030,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1388,10 +1052,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Enable or disable file hash computation feature.
+Enable or disable file hash computation feature.
Enabled:
-When this feature is enabled Microsoft Defender will compute hash value for files it scans.
+When this feature is enabled Microsoft Defender Antivirus will compute hash value for files it scans.
Disabled:
File hash value is not computed
@@ -1400,12 +1064,7 @@ Not configured:
Same as Disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1422,32 +1081,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1462,19 +1103,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.
+This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.
If you enable or do not configure this setting, definition retirement will be enabled.
If you disable this setting, definition retirement will be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1491,32 +1127,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1531,15 +1149,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0.
+This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1556,32 +1169,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1596,19 +1191,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities.
+This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities.
If you enable or do not configure this setting, protocol recognition will be enabled.
If you disable this setting, protocol recognition will be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1625,32 +1215,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/ProxyBypass**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1665,19 +1237,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL.
+This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL.
If you enable this setting, the proxy server will be bypassed for the specified addresses.
If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1694,32 +1261,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1734,7 +1283,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
+This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
2. Proxy .pac URL (if specified)
@@ -1747,12 +1296,7 @@ If you enable this setting, the proxy setting will be set to use the specified p
If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1769,32 +1313,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/ProxyServer**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1809,7 +1335,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
+This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
2. Proxy .pac URL (if specified)
@@ -1822,12 +1348,7 @@ If you enable this setting, the proxy will be set to the specified URL according
If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1844,32 +1365,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1884,19 +1387,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1913,32 +1411,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1953,19 +1433,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
+This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.
If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1982,32 +1457,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2022,19 +1479,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.
+This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.
If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time.
If you disable this setting, scheduled tasks will begin at the specified start time.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2051,32 +1503,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2091,19 +1525,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure behavior monitoring.
+This policy setting allows you to configure behavior monitoring.
If you enable or do not configure this setting, behavior monitoring will be enabled.
If you disable this setting, behavior monitoring will be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2120,32 +1549,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2160,19 +1571,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for all downloaded files and attachments.
+This policy setting allows you to configure scanning for all downloaded files and attachments.
If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.
If you disable this setting, scanning for all downloaded files and attachments will be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2189,32 +1595,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2229,19 +1617,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure monitoring for file and program activity.
+This policy setting allows you to configure monitoring for file and program activity.
If you enable or do not configure this setting, monitoring for file and program activity will be enabled.
If you disable this setting, monitoring for file and program activity will be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2258,32 +1641,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2298,19 +1663,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether raw volume write notifications are sent to behavior monitoring.
+This policy setting controls whether raw volume write notifications are sent to behavior monitoring.
If you enable or do not configure this setting, raw write notifications will be enabled.
If you disable this setting, raw write notifications be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2327,32 +1687,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2367,19 +1709,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off.
+This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off.
If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on.
If you disable this setting, a process scan will not be initiated when real-time protection is turned on.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2396,32 +1733,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2436,19 +1755,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned.
+This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned.
If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned.
If you disable or do not configure this setting, a default size will be applied.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2465,32 +1779,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2505,19 +1801,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2534,32 +1825,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2574,19 +1847,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2603,32 +1871,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2643,19 +1893,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2672,32 +1917,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2712,19 +1939,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2741,32 +1963,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2781,19 +1985,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2810,32 +2009,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2850,19 +2031,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2879,32 +2055,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2919,7 +2077,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all.
+This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all.
This setting can be configured with the following ordinal number values:
@@ -2938,12 +2096,7 @@ If you enable this setting, a scheduled full scan to complete remediation will r
If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2960,32 +2113,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3000,19 +2135,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing.
+This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing.
If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified.
If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3029,32 +2159,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3069,15 +2181,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state.
+This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3094,32 +2201,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3134,15 +2223,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state.
+This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3159,32 +2243,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3199,19 +2265,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients.
+Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients.
If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients.
If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3227,32 +2288,14 @@ ADMX Info:
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3267,19 +2310,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not Watson events are sent.
+This policy setting allows you to configure whether or not Watson events are sent.
If you enable or do not configure this setting, Watson events will be sent.
If you disable this setting, Watson events will not be sent.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3296,32 +2334,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3336,15 +2356,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state.
+This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3359,32 +2374,14 @@ ADMX Info:
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3399,15 +2396,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
+This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3424,32 +2416,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3464,15 +2438,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
+This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3489,32 +2458,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3529,7 +2480,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing).
+This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing).
Tracing levels are defined as:
@@ -3539,12 +2490,7 @@ Tracing levels are defined as:
- 4 - Debug
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3561,32 +2507,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3601,19 +2529,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not end users can pause a scan in progress.
+This policy setting allows you to manage whether or not end users can pause a scan in progress.
If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan.
If you disable this setting, users will not be able to pause scans.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3630,32 +2553,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3670,19 +2575,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
+This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
If you enable this setting, archive files will be scanned to the directory depth level specified.
If you disable or do not configure this setting, archive files will be scanned to the default directory depth level.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3699,32 +2599,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3739,19 +2621,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
+This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
If you enable this setting, archive files less than or equal to the size specified will be scanned.
If you disable or do not configure this setting, archive files will be scanned according to the default value.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3769,32 +2646,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3809,19 +2668,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
If you enable or do not configure this setting, archive files will be scanned.
If you disable this setting, archive files will not be scanned.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3838,32 +2692,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3878,19 +2714,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac).
+This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac).
If you enable this setting, e-mail scanning will be enabled.
If you disable or do not configure this setting, e-mail scanning will be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3907,32 +2738,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3947,19 +2760,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics.
+This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics.
If you enable or do not configure this setting, heuristics will be enabled.
If you disable this setting, heuristics will be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3976,32 +2784,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4016,19 +2806,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.
+This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.
If you enable or do not configure this setting, packed executables will be scanned.
If you disable this setting, packed executables will not be scanned.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4045,32 +2830,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4085,19 +2852,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
+This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
If you enable this setting, removable drives will be scanned during any type of scan.
If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4114,32 +2876,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4154,19 +2898,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality.
+This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality.
If you enable this setting, reparse point scanning will be enabled.
If you disable or do not configure this setting, reparse point scanning will be disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4183,32 +2922,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4223,19 +2944,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning.
+This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning.
If you enable this setting, a system restore point will be created.
If you disable or do not configure this setting, a system restore point will not be created.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4251,32 +2967,14 @@ ADMX Info:
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4291,19 +2989,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning mapped network drives.
+This policy setting allows you to configure scanning mapped network drives.
If you enable this setting, mapped network drives will be scanned.
If you disable or do not configure this setting, mapped network drives will not be scanned.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4320,32 +3013,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4360,19 +3035,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
+This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
If you enable this setting, network files will be scanned.
If you disable or do not configure this setting, network files will not be scanned.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4389,32 +3059,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4429,19 +3081,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4458,32 +3105,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4498,19 +3127,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4527,32 +3151,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4567,19 +3173,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4596,32 +3197,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4636,19 +3219,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4665,32 +3243,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4705,19 +3265,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy.
+This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4734,32 +3289,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4774,19 +3311,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable low CPU priority for scheduled scans.
+This policy setting allows you to enable or disable low CPU priority for scheduled scans.
If you enable this setting, low CPU priority will be used during scheduled scans.
If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4803,32 +3335,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4843,19 +3357,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans.
+This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans.
If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans.
If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4872,32 +3381,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4912,19 +3403,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days.
+This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days.
If you enable this setting, items will be removed from the scan history folder after the number of days specified.
If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4941,32 +3427,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4981,19 +3449,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0.
+This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0.
If you enable this setting, a quick scan will run at the interval specified.
If you disable or do not configure this setting, a quick scan will run at a default time.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5010,32 +3473,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5050,19 +3495,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use.
+This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use.
If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use.
If you disable this setting, scheduled scans will run at the scheduled time.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5079,32 +3519,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5119,7 +3541,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.
+This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.
This setting can be configured with the following ordinal number values:
@@ -5138,12 +3560,7 @@ If you enable this setting, a scheduled scan will run at the frequency specified
If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5160,32 +3577,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5200,19 +3599,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
+This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
If you enable this setting, a scheduled scan will run at the time of day specified.
If you disable or do not configure this setting, a scheduled scan will run at a default time.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5229,32 +3623,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5269,19 +3645,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled.
+This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled.
If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled.
If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5298,32 +3669,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5338,19 +3691,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
+This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5367,32 +3715,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5407,19 +3737,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
+This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update.
If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5436,32 +3761,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5476,19 +3783,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default.
+This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default.
If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5505,32 +3807,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5545,19 +3829,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred.
+This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred.
If you enable or do not configure this setting, a scan will start following a security intelligence update.
If you disable this setting, a scan will not start following a security intelligence update.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5574,32 +3853,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5614,19 +3875,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates when the computer is running on battery power.
+This policy setting allows you to configure security intelligence updates when the computer is running on battery power.
If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state.
If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5643,32 +3899,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5683,19 +3921,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present.
+This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present.
If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present.
If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5712,32 +3945,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5752,7 +3967,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”.
+This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”.
For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
@@ -5761,12 +3976,7 @@ If you enable this setting, security intelligence update sources will be contact
If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5783,32 +3993,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5823,19 +4015,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update.
+This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update.
If you enable this setting, security intelligence updates will be downloaded from Microsoft Update.
If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5852,32 +4039,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5892,19 +4061,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work.
+This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work.
If you enable or do not configure this setting, real-time security intelligence updates will be enabled.
If you disable this setting, real-time security intelligence updates will disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5921,32 +4085,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5961,7 +4107,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all.
+This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all.
This setting can be configured with the following ordinal number values:
@@ -5980,12 +4126,7 @@ If you enable this setting, the check for security intelligence updates will occ
If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6002,32 +4143,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6042,19 +4165,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring.
+This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring.
If you enable this setting, the check for security intelligence updates will occur at the time of day specified.
If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6071,32 +4189,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6111,17 +4211,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the security intelligence location for VDI-configured computers.
+This policy setting allows you to define the security intelligence location for VDI-configured computers.
If you disable or do not configure this setting, security intelligence will be referred from the default local source.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6138,32 +4233,14 @@ ADMX Info:
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6178,19 +4255,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work.
+This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work.
If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence.
If you disable this setting, the antimalware service will not receive notifications to disable security intelligence.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6207,32 +4279,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6247,19 +4301,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day.
+This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day.
If you enable this setting, a catch-up security intelligence update will occur after the specified number of days.
If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6276,32 +4325,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6316,19 +4347,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup.
+This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup.
If you enable this setting, a check for new security intelligence will occur after service startup.
If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6345,32 +4371,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/SpynetReporting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6385,7 +4393,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
+This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.
@@ -6406,12 +4414,7 @@ If you disable or do not configure this setting, you will not join Microsoft MAP
In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6428,32 +4431,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6468,19 +4453,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy.
+ This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Policy.
-If you enable this setting, the local preference setting will take priority over Group Policy.
+If you enable this setting, the local preference setting will take priority over Policy.
-If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+If you disable or do not configure this setting, Policy will take priority over the local preference setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6498,32 +4478,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6538,7 +4500,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken.
+This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken.
Valid remediation action values are:
@@ -6547,12 +4509,7 @@ Valid remediation action values are:
- 6 = Ignore
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6569,32 +4526,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6609,19 +4548,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
+This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
If you enable this setting, the additional text specified will be displayed.
If you disable or do not configure this setting, there will be no additional text displayed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6638,32 +4572,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6678,19 +4594,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients.
+Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients.
If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients.
If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6707,32 +4618,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6747,17 +4640,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode).
+This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode).
If you enable this setting AM UI won't show reboot notifications.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6774,32 +4662,14 @@ ADMX Info:
**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6814,17 +4684,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display AM UI to the users.
+This policy setting allows you to configure whether or not to display AM UI to the users.
If you enable this setting AM UI won't be available to users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6837,8 +4702,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md
index 05474b42bb..9eff49d85c 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmc.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmc.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_MMC
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -46,32 +50,14 @@ manager: dansimp
**ADMX_MMC/MMC_ActiveXControl**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -86,7 +72,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in.
+This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
@@ -103,12 +89,7 @@ To explicitly prohibit use of this snap-in, disable this setting. If this settin
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -125,32 +106,14 @@ ADMX Info:
**ADMX_MMC/MMC_ExtendView**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -165,7 +128,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in.
+This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
@@ -182,12 +145,7 @@ To explicitly prohibit use of this snap-in, disable this setting. If this settin
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -204,32 +162,14 @@ ADMX Info:
**ADMX_MMC/MMC_LinkToWeb**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -244,7 +184,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in.
+This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
@@ -261,12 +201,7 @@ To explicitly prohibit use of this snap-in, disable this setting. If this settin
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -283,32 +218,14 @@ ADMX Info:
**ADMX_MMC/MMC_Restrict_Author**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -323,7 +240,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from entering author mode.
+This policy setting prevents users from entering author mode.
This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default.
@@ -334,12 +251,7 @@ This setting permits users to open MMC user-mode console files, such as those on
If you disable this setting or do not configure it, users can enter author mode and open author-mode console files.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -356,32 +268,14 @@ ADMX Info:
**ADMX_MMC/MMC_Restrict_To_Permitted_Snapins**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -396,7 +290,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.
+This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.
- If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins.
@@ -412,12 +306,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
> If you enable this setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -430,8 +319,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
index c628cc0a3f..41e81ccde0 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_MMCSnapins
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -343,32 +347,14 @@ manager: dansimp
**ADMX_MMCSnapins/MMC_ADMComputers_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -383,27 +369,22 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
-If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console.
-If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+If you disable this policy setting, the snap-in is prohibited. It cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
-If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited.
-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted.
-When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -420,32 +401,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ADMComputers_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -460,27 +423,22 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
-If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console.
-If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+If you disable this policy setting, the snap-in is prohibited. It cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
-If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited.
-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted.
-When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -498,32 +456,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ADMUsers_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -538,7 +478,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -553,12 +493,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -576,32 +511,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ADMUsers_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -616,7 +533,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -631,12 +548,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -654,32 +566,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ADSI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -694,7 +588,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -709,12 +603,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -732,32 +621,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ActiveDirDomTrusts**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -772,7 +643,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -787,12 +658,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -810,32 +676,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ActiveDirSitesServices**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -850,7 +698,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -862,15 +710,10 @@ If this policy setting is not configured, the setting of the "Restrict users to
- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
-When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -888,32 +731,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ActiveDirUsersComp**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -928,9 +753,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
-If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console.
If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
@@ -943,12 +768,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -966,32 +786,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_AppleTalkRouting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1006,7 +808,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1021,12 +823,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1044,32 +841,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_AuthMan**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1084,7 +863,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1099,12 +878,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1122,32 +896,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_CertAuth**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1162,7 +918,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1177,12 +933,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1200,32 +951,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_CertAuthPolSet**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1240,7 +973,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1254,12 +987,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1277,32 +1005,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_Certs**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1317,7 +1027,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1331,12 +1041,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1354,32 +1059,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_CertsTemplate**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1394,7 +1081,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1408,12 +1095,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1431,32 +1113,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ComponentServices**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1471,7 +1135,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1485,12 +1149,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1508,32 +1167,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ComputerManagement**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1548,7 +1189,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1562,12 +1203,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1585,32 +1221,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ConnectionSharingNAT**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1625,7 +1243,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1639,12 +1257,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1662,32 +1275,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_DCOMCFG**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1702,7 +1297,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1716,12 +1311,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1739,32 +1329,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_DFS**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1779,7 +1351,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1793,12 +1365,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1816,32 +1383,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_DHCPRelayMgmt**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1856,7 +1405,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1870,12 +1419,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1893,32 +1437,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_DeviceManager_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1933,7 +1459,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1947,12 +1473,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1970,32 +1491,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_DeviceManager_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2010,7 +1513,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2024,12 +1527,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2047,32 +1545,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_DiskDefrag**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2087,7 +1567,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2101,12 +1581,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2124,32 +1599,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_DiskMgmt**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2164,7 +1621,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2178,12 +1635,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2201,32 +1653,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_EnterprisePKI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2241,7 +1675,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2255,12 +1689,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2278,32 +1707,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_EventViewer_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2318,7 +1729,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2332,12 +1743,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2355,32 +1761,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_EventViewer_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2395,7 +1783,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2409,12 +1797,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2432,32 +1815,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_EventViewer_3**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2472,7 +1837,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2486,12 +1851,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2509,32 +1869,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_EventViewer_4**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2549,7 +1891,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2563,12 +1905,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2587,32 +1924,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_EventViewer_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2627,7 +1946,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2641,12 +1960,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2664,32 +1978,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_FAXService**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2704,7 +2000,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2718,12 +2014,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2741,32 +2032,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_FailoverClusters**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2781,7 +2054,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2795,12 +2068,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2818,32 +2086,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_FolderRedirection_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2858,7 +2108,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2872,12 +2122,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2895,32 +2140,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_FolderRedirection_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2935,7 +2162,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2949,12 +2176,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2972,32 +2194,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_FrontPageExt**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3012,7 +2216,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3026,12 +2230,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3049,32 +2248,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3089,7 +2270,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3103,12 +2284,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3126,32 +2302,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_GroupPolicySnapIn**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3166,7 +2324,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3180,12 +2338,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3203,32 +2356,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_GroupPolicyTab**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3243,7 +2378,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins.
+This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins.
If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins.
@@ -3259,12 +2394,7 @@ To explicitly prohibit use of the Group Policy tab, disable this setting. If thi
When the Group Policy tab is inaccessible, it does not appear in the site, domain, or organizational unit property sheets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3282,32 +2412,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_HRA**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3322,7 +2434,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3336,12 +2448,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3359,32 +2466,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IAS**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3399,7 +2488,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3413,12 +2502,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3436,32 +2520,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IASLogging**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3476,7 +2542,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3490,12 +2556,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3513,32 +2574,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IEMaintenance_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3553,7 +2596,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3567,12 +2610,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3590,32 +2628,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IEMaintenance_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3630,7 +2650,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3644,12 +2664,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3667,32 +2682,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IGMPRouting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3707,7 +2704,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3721,12 +2718,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3744,32 +2736,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IIS**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3784,7 +2758,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3798,12 +2772,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3821,32 +2790,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IPRouting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3861,7 +2812,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3875,12 +2826,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3898,32 +2844,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IPSecManage_GP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3938,7 +2866,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3952,12 +2880,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3975,32 +2898,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IPXRIPRouting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4015,7 +2920,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4029,12 +2934,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4052,32 +2952,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IPXRouting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4092,7 +2974,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4106,12 +2988,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4129,32 +3006,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IPXSAPRouting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4169,7 +3028,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4183,12 +3042,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4206,32 +3060,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IndexingService**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4246,7 +3082,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4260,12 +3096,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4283,32 +3114,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IpSecManage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4323,7 +3136,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4337,12 +3150,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4360,32 +3168,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_IpSecMonitor**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4400,7 +3190,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4414,12 +3204,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4437,32 +3222,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_LocalUsersGroups**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4477,7 +3244,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4491,12 +3258,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4514,32 +3276,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_LogicalMappedDrives**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4554,7 +3298,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4568,12 +3312,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4591,32 +3330,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_NPSUI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4631,7 +3352,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4645,12 +3366,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4668,32 +3384,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_NapSnap**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4708,7 +3406,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4722,12 +3420,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4745,32 +3438,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_NapSnap_GP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4785,7 +3460,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4799,12 +3474,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4822,32 +3492,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_Net_Framework**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4862,7 +3514,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4876,12 +3528,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4899,32 +3546,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_OCSP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -4939,7 +3568,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4953,12 +3582,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4976,32 +3600,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_OSPFRouting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5016,7 +3622,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5030,12 +3636,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5053,32 +3654,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_PerfLogsAlerts**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5093,7 +3676,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5107,12 +3690,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5130,32 +3708,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_PublicKey**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5170,7 +3730,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5184,12 +3744,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5207,32 +3762,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_QoSAdmission**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5247,7 +3784,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5261,12 +3798,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5284,32 +3816,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_RAS_DialinUser**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5324,7 +3838,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5338,12 +3852,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5361,32 +3870,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_RIPRouting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5401,7 +3892,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5415,12 +3906,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5438,32 +3924,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_RIS**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5478,7 +3946,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5492,12 +3960,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5515,32 +3978,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_RRA**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5555,7 +4000,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5569,12 +4014,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5592,32 +4032,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_RSM**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5632,7 +4054,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5646,12 +4068,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5669,32 +4086,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_RemStore**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5709,7 +4108,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5723,12 +4122,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5746,32 +4140,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_RemoteAccess**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5786,7 +4162,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5800,12 +4176,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5823,32 +4194,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_RemoteDesktop**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5863,7 +4216,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5877,12 +4230,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5900,32 +4248,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -5940,7 +4270,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5954,12 +4284,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5977,32 +4302,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_Routing**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6017,7 +4324,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6031,12 +4338,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6054,32 +4356,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SCA**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6094,7 +4378,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6108,12 +4392,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6131,32 +4410,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SMTPProtocol**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6171,7 +4432,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6185,12 +4446,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6208,32 +4464,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SNMP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6248,7 +4486,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6262,12 +4500,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6285,32 +4518,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ScriptsMachine_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6325,7 +4540,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6339,12 +4554,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6362,32 +4572,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ScriptsMachine_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6402,7 +4594,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6416,12 +4608,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6439,32 +4626,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ScriptsUser_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6479,7 +4648,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6493,12 +4662,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6516,32 +4680,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ScriptsUser_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6556,7 +4702,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6570,12 +4716,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6593,32 +4734,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SecuritySettings_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6633,7 +4756,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6647,12 +4770,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6670,32 +4788,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SecuritySettings_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6710,7 +4810,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6724,12 +4824,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6747,32 +4842,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SecurityTemplates**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6787,7 +4864,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6801,12 +4878,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6824,32 +4896,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SendConsoleMessage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6864,7 +4918,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6878,12 +4932,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6901,32 +4950,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ServerManager**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -6941,7 +4972,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6955,12 +4986,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6978,32 +5004,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_ServiceDependencies**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7018,7 +5026,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7032,12 +5040,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7055,32 +5058,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_Services**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7095,7 +5080,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7109,12 +5094,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7132,32 +5112,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SharedFolders**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7172,7 +5134,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7186,12 +5148,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7209,32 +5166,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SharedFolders_Ext**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7249,7 +5188,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7263,12 +5202,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7286,32 +5220,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7326,7 +5242,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7340,12 +5256,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7363,32 +5274,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7403,7 +5296,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7417,12 +5310,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7440,32 +5328,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7480,7 +5350,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7494,12 +5364,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7517,32 +5382,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7557,7 +5404,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7571,12 +5418,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7594,32 +5436,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SysInfo**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7634,7 +5458,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7648,12 +5472,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7671,32 +5490,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_SysProp**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7711,7 +5512,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7725,12 +5526,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7748,32 +5544,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_TPMManagement**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7788,7 +5566,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7802,12 +5580,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7825,32 +5598,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_Telephony**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7865,7 +5620,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7879,12 +5634,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7902,32 +5652,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_TerminalServices**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -7942,7 +5674,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7956,12 +5688,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7979,32 +5706,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_WMI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -8019,7 +5728,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8033,12 +5742,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8056,32 +5760,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_WindowsFirewall**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -8096,7 +5782,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8110,12 +5796,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8133,32 +5814,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_WindowsFirewall_GP**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -8173,7 +5836,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8187,12 +5850,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8210,32 +5868,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_WiredNetworkPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -8250,7 +5890,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8264,12 +5904,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8287,32 +5922,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_WirelessMon**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -8327,7 +5944,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8341,12 +5958,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8364,32 +5976,14 @@ ADMX Info:
**ADMX_MMCSnapins/MMC_WirelessNetworkPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -8404,7 +5998,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
+This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8418,12 +6012,7 @@ If this policy setting is not configured, the setting of the "Restrict users to
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8435,7 +6024,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
new file mode 100644
index 0000000000..1b428b1884
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
@@ -0,0 +1,135 @@
+---
+title: Policy CSP - ADMX_MobilePCMobilityCenter
+description: Policy CSP - ADMX_MobilePCMobilityCenter
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.date: 09/20/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_MobilePCMobilityCenter
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_MobilePCMobilityCenter policies
+
+
+
+
+
+
+
+**ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting turns off Windows Mobility Center.
+- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it.
+
+- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it.
+
+If you do not configure this policy setting, Windows Mobility Center is on by default.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Windows Mobility Center*
+- GP name: *MobilityCenterEnable_1*
+- GP path: *Windows Components\Windows Mobility Center*
+- GP ADMX file name: *MobilePCMobilityCenter.admx*
+
+
+
+
+
+
+**ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting turns off Windows Mobility Center.
+- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it.
+
+- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it.
+
+If you do not configure this policy setting, Windows Mobility Center is on by default.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Windows Mobility Center*
+- GP name: *MobilityCenterEnable_2*
+- GP path: *Windows Components\Windows Mobility Center*
+- GP ADMX file name: *MobilePCMobilityCenter.admx*
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
new file mode 100644
index 0000000000..f9fe20c69c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
@@ -0,0 +1,147 @@
+---
+title: Policy CSP - ADMX_MobilePCPresentationSettings
+description: Policy CSP - ADMX_MobilePCPresentationSettings
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.date: 09/20/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_MobilePCPresentationSettings
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_MobilePCPresentationSettings policies
+
+
+
+
+
+
+
+**ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1**
+
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting turns off Windows presentation settings.
+
+- If you enable this policy setting, Windows presentation settings cannot be invoked.
+
+- If you disable this policy setting, Windows presentation settings can be invoked.
+
+The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image.
+
+> [!NOTE]
+> Users will be able to customize their system settings for presentations in Windows Mobility Center.
+If you do not configure this policy setting, Windows presentation settings can be invoked.
+
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Windows presentation settings*
+- GP name: *PresentationSettingsEnable_1*
+- GP path: *Windows Components\Presentation Settings*
+- GP ADMX file name: *MobilePCPresentationSettings.admx*
+
+
+
+
+
+
+**ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting turns off Windows presentation settings.
+
+- If you enable this policy setting, Windows presentation settings cannot be invoked.
+
+- If you disable this policy setting, Windows presentation settings can be invoked.
+
+The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image.
+
+> [!NOTE]
+> Users will be able to customize their system settings for presentations in Windows Mobility Center.
+If you do not configure this policy setting, Windows presentation settings can be invoked.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Windows presentation settings*
+- GP name: *PresentationSettingsEnable_2*
+- GP path: *Windows Components\Presentation Settings*
+- GP ADMX file name: *MobilePCPresentationSettings.admx*
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
index 99d423e98d..c99d918ce9 100644
--- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_MSAPolicy
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,32 +38,14 @@ manager: dansimp
**ADMX_MSAPolicy/MicrosoftAccount_DisableUserAuth**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -74,7 +60,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
+This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
@@ -83,12 +69,7 @@ It is recommended to enable this setting before any user signs in to a device to
By default, this setting is Disabled. This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -101,8 +82,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md
index 0264d6cb1d..f5fdba58e4 100644
--- a/windows/client-management/mdm/policy-csp-admx-msched.md
+++ b/windows/client-management/mdm/policy-csp-admx-msched.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_msched
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -37,32 +41,14 @@ manager: dansimp
**ADMX_msched/ActivationBoundaryPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -77,19 +63,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts.
+This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts.
If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel.
If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -106,32 +87,14 @@ ADMX Info:
**ADMX_msched/RandomDelayPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -146,7 +109,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation random delay.
+This policy setting allows you to configure Automatic Maintenance activation random delay.
The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary.
@@ -157,12 +120,7 @@ If you do not configure this policy setting, 4 hour random delay will be applied
If you disable this policy setting, no random delay will be applied to Automatic Maintenance.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -176,8 +134,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md
index a8bf9c9ad2..06d2770f44 100644
--- a/windows/client-management/mdm/policy-csp-admx-msdt.md
+++ b/windows/client-management/mdm/policy-csp-admx-msdt.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_MSDT
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -40,32 +44,14 @@ manager: dansimp
**ADMX_MSDT/MsdtSupportProvider**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -80,7 +66,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals.
+This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals.
If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.
@@ -93,12 +79,7 @@ If you do not configure this policy setting, MSDT support mode is enabled by def
No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -115,32 +96,14 @@ ADMX Info:
**ADMX_MSDT/MsdtToolDownloadPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -155,7 +118,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool.
+This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool.
Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.
@@ -180,12 +143,7 @@ When the service is stopped or disabled, diagnostic scenarios are not executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -202,32 +160,14 @@ ADMX Info:
**ADMX_MSDT/WdiScenarioExecutionPolicy**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -242,7 +182,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Microsoft Support Diagnostic Tool.
+This policy setting determines the execution level for Microsoft Support Diagnostic Tool.
Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.
@@ -255,12 +195,7 @@ No reboots or service restarts are required for this policy setting to take effe
This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -273,8 +208,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md
index 0970c6a14e..e6c1aed15a 100644
--- a/windows/client-management/mdm/policy-csp-admx-msi.md
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_MSI
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -102,32 +106,14 @@ manager: dansimp
**ADMX_MSI/AllowLockdownBrowse**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -142,7 +128,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to search for installation files during privileged installations.
+This policy setting allows users to search for installation files during privileged installations.
If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges.
@@ -153,12 +139,7 @@ This policy setting does not affect installations that run in the user's securit
If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -176,32 +157,14 @@ ADMX Info:
**ADMX_MSI/AllowLockdownMedia**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -216,7 +179,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to install programs from removable media during privileged installations.
+This policy setting allows users to install programs from removable media during privileged installations.
If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges.
@@ -227,12 +190,7 @@ If you disable or do not configure this policy setting, by default, users can in
Also, see the "Prevent removable media source for any install" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -250,32 +208,14 @@ ADMX Info:
**ADMX_MSI/AllowLockdownPatch**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -290,7 +230,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to patch elevated products.
+This policy setting allows users to patch elevated products.
If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use.
@@ -298,12 +238,7 @@ If you disable or do not configure this policy setting, by default, only system
This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -321,32 +256,14 @@ ADMX Info:
**ADMX_MSI/DisableAutomaticApplicationShutdown**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -361,7 +278,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update.
+This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update.
If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior.
@@ -374,12 +291,7 @@ If you enable this policy setting, you can use the options in the Prohibit Use o
If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -397,32 +309,14 @@ ADMX Info:
**ADMX_MSI/DisableBrowse**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -437,7 +331,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from searching for installation files when they add features or components to an installed program.
+This policy setting prevents users from searching for installation files when they add features or components to an installed program.
If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures.
@@ -450,12 +344,7 @@ This policy setting affects Windows Installer only. It does not prevent users fr
Also, see the "Enable user to browse for source while elevated" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -473,32 +362,14 @@ ADMX Info:
**ADMX_MSI/DisableFlyweightPatching**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -513,19 +384,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off all patch optimizations.
+This policy setting controls the ability to turn off all patch optimizations.
If you enable this policy setting, all Patch Optimization options are turned off during the installation.
If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -543,32 +409,14 @@ ADMX Info:
**ADMX_MSI/DisableLoggingFromPackage**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -583,7 +431,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package.
+This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package.
If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior.
@@ -594,12 +442,7 @@ If you enable this policy setting, you can use the options in the Disable loggin
If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -617,32 +460,14 @@ ADMX Info:
**ADMX_MSI/DisableMSI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -657,11 +482,11 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the use of Windows Installer.
+This policy setting restricts the use of Windows Installer.
If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.
-- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured.
+- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software.
- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured.
@@ -670,12 +495,7 @@ If you enable this policy setting, you can prevent users from installing softwar
This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -693,32 +513,14 @@ ADMX Info:
**ADMX_MSI/DisableMedia**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -733,7 +535,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from installing any programs from removable media.
+This policy setting prevents users from installing any programs from removable media.
If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found.
@@ -744,12 +546,7 @@ If you disable or do not configure this policy setting, users can install from r
Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -767,32 +564,14 @@ ADMX Info:
**ADMX_MSI/DisablePatch**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -807,7 +586,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Windows Installer to install patches.
+This policy setting prevents users from using Windows Installer to install patches.
If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use.
@@ -819,12 +598,7 @@ If you disable or do not configure this policy setting, by default, users who ar
Also, see the "Enable user to patch elevated products" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -842,32 +616,14 @@ ADMX Info:
**ADMX_MSI/DisableRollback_1**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -882,7 +638,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
+This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
@@ -890,12 +646,7 @@ This policy setting is designed to reduce the amount of temporary disk space req
This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -913,32 +664,14 @@ ADMX Info:
**ADMX_MSI/DisableRollback_2**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -953,7 +686,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
+This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
@@ -962,12 +695,7 @@ This policy setting is designed to reduce the amount of temporary disk space req
This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -985,32 +713,14 @@ ADMX Info:
**ADMX_MSI/DisableSharedComponent**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1025,19 +735,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off shared components.
+This policy setting controls the ability to turn off shared components.
If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table.
If you disable or do not configure this policy setting, by default, the shared component functionality is allowed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1055,32 +760,14 @@ ADMX Info:
**ADMX_MSI/MSILogging**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1095,7 +782,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume.
+Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume.
When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want.
@@ -1104,12 +791,7 @@ To disable logging, delete all of the letters from the box.
If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1128,32 +810,14 @@ ADMX Info:
**ADMX_MSI/MSI_DisableLUAPatching**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1168,7 +832,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
+This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users.
@@ -1177,12 +841,7 @@ If you enable this policy setting, only administrators or users with administrat
If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1201,32 +860,14 @@ ADMX Info:
**ADMX_MSI/MSI_DisablePatchUninstall**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1241,7 +882,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability for users or administrators to remove Windows Installer based updates.
+This policy setting controls the ability for users or administrators to remove Windows Installer based updates.
This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators.
@@ -1250,12 +891,7 @@ If you enable this policy setting, updates cannot be removed from the computer b
If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1274,32 +910,14 @@ ADMX Info:
**ADMX_MSI/MSI_DisableSRCheckPoints**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1314,19 +932,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files.
+This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files.
If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications.
If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1345,32 +958,14 @@ ADMX Info:
**ADMX_MSI/MSI_DisableUserInstalls**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1385,19 +980,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want.
+This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want.
If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product.
If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1416,32 +1006,14 @@ ADMX Info:
**ADMX_MSI/MSI_EnforceUpgradeComponentRules**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1456,7 +1028,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting causes the Windows Installer to enforce strict rules for component upgrades.
+This policy setting causes the Windows Installer to enforce strict rules for component upgrades.
If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following:
@@ -1469,12 +1041,7 @@ The new feature must be added as a new leaf feature to an existing feature tree.
If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1492,32 +1059,14 @@ ADMX Info:
**ADMX_MSI/MSI_MaxPatchCacheSize**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1532,7 +1081,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy controls the percentage of disk space available to the Windows Installer baseline file cache.
+This policy controls the percentage of disk space available to the Windows Installer baseline file cache.
The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied.
@@ -1545,12 +1094,7 @@ If you set the baseline cache to 100, the Windows Installer will use available f
If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1568,32 +1112,14 @@ ADMX Info:
**ADMX_MSI/MsiDisableEmbeddedUI**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1608,19 +1134,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to prevent embedded UI.
+This policy setting controls the ability to prevent embedded UI.
If you enable this policy setting, no packages on the system can run embedded UI.
If you disable or do not configure this policy setting, embedded UI is allowed to run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1638,32 +1159,14 @@ ADMX Info:
**ADMX_MSI/SafeForScripting**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1678,7 +1181,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows Web-based programs to install software on the computer without notifying the user.
+This policy setting allows Web-based programs to install software on the computer without notifying the user.
If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.
@@ -1687,12 +1190,7 @@ If you enable this policy setting, the warning is suppressed and allows the inst
This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1710,32 +1208,14 @@ ADMX Info:
**ADMX_MSI/SearchOrder**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1750,7 +1230,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the order in which Windows Installer searches for installation files.
+This policy setting specifies the order in which Windows Installer searches for installation files.
If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).
@@ -1763,12 +1243,7 @@ If you enable this policy setting, you can change the search order by specifying
To exclude a file source, omit or delete the letter representing that source type.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1786,32 +1261,14 @@ ADMX Info:
**ADMX_MSI/TransformsSecure**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1826,7 +1283,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting saves copies of transform files in a secure location on the local computer.
+This policy setting saves copies of transform files in a secure location on the local computer.
Transform files consist of instructions to modify or customize a program during installation.
@@ -1838,15 +1295,8 @@ This policy setting is designed for enterprises to prevent unauthorized or malic
If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile.
-If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1860,7 +1310,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
new file mode 100644
index 0000000000..7eb8878caf
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
@@ -0,0 +1,97 @@
+---
+title: Policy CSP - ADMX_MsiFileRecovery
+description: Policy CSP - ADMX_MsiFileRecovery
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.date: 09/20/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_MsiFileRecovery
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_MsiFileRecovery policies
+
+
+
+
+
+
+**ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:
+
+- Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog-box when application reinstallation is required.
+This is the default recovery behavior on Windows client.
+
+- Silent: Detection, troubleshooting, and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default recovery behavior on Windows server.
+
+- Troubleshooting Only: Detection and verification of file corruption will be performed without UI.
+Recovery is not attempted.
+
+- If you enable this policy setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Windows server), or Troubleshooting Only.
+
+- If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted.
+
+If you do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh.
+
+> [!NOTE]
+> This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure MSI Corrupted File Recovery behavior*
+- GP name: *WdiScenarioExecutionPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\MSI Corrupted File Recovery*
+- GP ADMX file name: *MsiFileRecovery.admx*
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index f35134f108..1ed67abd42 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_nca
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -57,28 +61,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -95,7 +105,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource.
+This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource.
Each string can be one of the following types:
@@ -112,12 +122,7 @@ Each string can be one of the following types:
You must configure this setting to have complete NCA functionality.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -136,28 +141,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -174,15 +185,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.
+This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -201,28 +207,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -239,7 +251,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints.
+This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints.
By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel.
@@ -248,12 +260,7 @@ Each entry consists of the text PING: followed by the IPv6 address of an IPsec t
You must configure this setting to have complete NCA functionality.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -272,28 +279,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -310,17 +323,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.
+This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.
If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -339,28 +347,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -377,7 +391,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
+This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
@@ -391,12 +405,7 @@ To restore the DirectAccess rules to the NRPT and resume normal DirectAccess fun
If this setting is not configured, users do not have Connect or Disconnect options.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -415,28 +424,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -453,16 +468,11 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether NCA service runs in Passive Mode or not.
+This policy setting specifies whether NCA service runs in Passive Mode or not.
Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -481,28 +491,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -519,19 +535,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
+This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access.
If this setting is not configured, the entry for DirectAccess connectivity appears.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -550,28 +561,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -588,17 +605,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator.
+This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator.
When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -611,8 +623,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index 4981561468..9aff94fad5 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_NCSI
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -54,28 +58,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -92,15 +102,10 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.
+This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -119,28 +124,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -157,15 +168,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity.
+This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -184,28 +190,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -222,15 +234,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
+This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -249,28 +256,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -287,15 +300,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.
+This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -317,28 +325,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -355,15 +369,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
+This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -382,28 +391,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -420,15 +435,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
+This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -447,28 +457,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -485,15 +501,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.
+This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -506,7 +517,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index f8c2d7401e..60cfff66e4 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Netlogon
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -138,28 +142,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -176,7 +186,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site.
+This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site.
Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client.
@@ -191,12 +201,7 @@ To specify this behavior in the DC Locator DNS SRV records, click Enabled, and t
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -215,28 +220,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -253,7 +264,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios.
+This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios.
By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior.
@@ -264,12 +275,7 @@ If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC add
If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -290,28 +296,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -328,7 +340,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled.
+This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled.
By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled.
@@ -337,12 +349,7 @@ If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is
If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -363,28 +370,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -401,7 +414,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.
+This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.
By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller.
@@ -412,12 +425,7 @@ If you disable this policy setting, Net Logon will not allow the negotiation and
If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -438,28 +446,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -476,7 +490,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.
+This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.
By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
@@ -487,12 +501,7 @@ If you disable this policy setting, computers to which this setting is applied w
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -513,28 +522,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -551,7 +566,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
+This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.
@@ -560,12 +575,7 @@ If you disable this policy setting, the DCs will not register site-specific DC L
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -586,28 +596,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -624,7 +640,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism.
+This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism.
NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended.
@@ -636,12 +652,7 @@ If you enable or do not configure this policy setting, the DC location algorithm
If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -662,28 +673,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -700,7 +717,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password.
+This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password.
Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection.
@@ -711,12 +728,7 @@ If you disable this policy setting, the DCs will not attempt to verify any passw
If you do not configure this policy setting, it is not applied to any DCs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -737,28 +749,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -775,7 +793,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC.
+This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC.
The default value for this setting is 10 minutes (10*60).
@@ -789,12 +807,7 @@ If the value of this setting is less than the value specified in the NegativeCac
> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -815,28 +828,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -853,7 +872,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC.
+This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC.
For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached.
@@ -869,12 +888,7 @@ If the value for this setting is smaller than the value specified for the Initia
If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -895,28 +909,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -933,7 +953,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used.
+This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used.
The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
@@ -941,12 +961,7 @@ The default value for this setting is to not quit retrying (0). The maximum valu
> If the value for this setting is too small, a client will stop trying to find a DC too soon.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -967,28 +982,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1005,15 +1026,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
+This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1034,28 +1050,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1072,7 +1094,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the level of debug output for the Net Logon service.
+This policy setting specifies the level of debug output for the Net Logon service.
The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged.
@@ -1083,12 +1105,7 @@ If you specify zero for this policy setting, the default behavior occurs as desc
If you disable this policy setting or do not configure it, the default behavior occurs as described above.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1109,28 +1126,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1147,7 +1170,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
+This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.
@@ -1182,12 +1205,7 @@ If you disable this policy setting, DCs configured to perform dynamic registrati
If you do not configure this policy setting, DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1208,28 +1226,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1246,7 +1270,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.
+This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.
DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
@@ -1258,12 +1282,7 @@ To specify the Refresh Interval of the DC records, click Enabled, and then enter
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1284,28 +1303,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1322,7 +1347,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records.
+This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records.
If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below.
@@ -1334,12 +1359,7 @@ The default local configuration is enabled.
A reboot is not required for changes to this setting to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1360,28 +1380,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1398,18 +1424,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC).
+This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC).
To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes).
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1430,28 +1451,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1468,19 +1495,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network.
+This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network.
To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1501,28 +1523,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1539,7 +1567,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.
+This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.
The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.
@@ -1550,12 +1578,7 @@ If you disable this policy setting, Force Rediscovery will be used by default fo
If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1576,28 +1599,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1614,7 +1643,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
+This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.
@@ -1623,12 +1652,7 @@ To specify the sites covered by the GC Locator DNS SRV records, click Enabled, a
If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1649,28 +1673,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1687,7 +1717,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).
+This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).
> [!NOTE]
> To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
@@ -1699,12 +1729,7 @@ If you enable this policy setting, this DC does not process incoming mailslot me
If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1725,28 +1750,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1763,7 +1794,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.
+This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.
The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed.
@@ -1772,12 +1803,7 @@ To specify the Priority in the DC Locator DNS SRV resource records, click Enable
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1798,28 +1824,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1836,7 +1868,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
+This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record.
@@ -1845,12 +1877,7 @@ To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1871,28 +1898,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1909,19 +1942,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
+This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1942,28 +1970,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1980,7 +2014,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
+This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
@@ -1989,12 +2023,7 @@ To specify the sites covered by the DC Locator application directory partition-s
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2015,28 +2044,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2053,7 +2088,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
+This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.
@@ -2061,12 +2096,7 @@ The default value for this setting is 45 seconds. The maximum value for this set
> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2087,28 +2117,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2125,7 +2161,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
+This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
@@ -2139,12 +2175,7 @@ By default, the Netlogon share will grant shared read access to files on the sha
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2165,28 +2196,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2203,17 +2240,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag.
+This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag.
The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2234,28 +2266,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2272,7 +2310,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC).
+This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC).
When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version.
@@ -2286,12 +2324,7 @@ To specify this behavior, click Enabled and then enter a value. The range of val
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2312,28 +2345,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2350,7 +2389,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval at which Netlogon performs the following scavenging operations:
+This policy setting determines the interval at which Netlogon performs the following scavenging operations:
- Checks if a password on a secure channel needs to be modified, and modifies it if necessary.
@@ -2363,12 +2402,7 @@ None of these operations are critical. 15 minutes is optimal in all but extreme
To enable the setting, click Enabled, and then specify the interval in seconds.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2389,28 +2423,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2427,7 +2467,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
+This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
@@ -2436,12 +2476,7 @@ To specify the sites covered by the DC Locator DNS SRV records, click Enabled, a
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2462,28 +2497,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2500,7 +2541,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Active Directory site to which computers belong.
+This policy setting specifies the Active Directory site to which computers belong.
An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
@@ -2509,12 +2550,7 @@ To specify the site name for this setting, click Enabled, and then enter the sit
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2535,28 +2571,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2573,7 +2615,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
+This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
@@ -2587,12 +2629,7 @@ By default, the SYSVOL share will grant shared read access to files on the share
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2613,28 +2650,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2651,7 +2694,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively.
+This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively.
The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost.
@@ -2662,12 +2705,7 @@ If you disable this policy setting, Try Next Closest Site DC Location will not b
If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2688,28 +2726,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2726,7 +2770,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.
+This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.
If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.
@@ -2735,12 +2779,7 @@ If you disable this policy setting, DCs will not register DC Locator DNS resourc
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2753,7 +2792,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
index 42d74dc6ad..e0e2c1610b 100644
--- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md
+++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
@@ -14,8 +14,12 @@ manager: dansimp
# Policy CSP - ADMX_NetworkConnections
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -115,28 +119,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -153,7 +163,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators.
+This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators.
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard.
@@ -171,12 +181,7 @@ The Install and Uninstall buttons appear in the properties dialog box for connec
> Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -195,28 +200,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -233,7 +244,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators.
+This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators.
The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers.
@@ -247,12 +258,7 @@ If you disable this setting or do not configure it, the Advanced Settings item i
> Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -271,28 +277,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -309,7 +321,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can configure advanced TCP/IP settings.
+This policy setting determines whether users can configure advanced TCP/IP settings.
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information.
@@ -328,12 +340,7 @@ Changing this setting from Enabled to Not Configured does not enable the Advance
> To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -352,28 +359,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -390,7 +403,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether administrators can enable and disable the components used by LAN connections.
+This policy setting Determines whether administrators can enable and disable the components used by LAN connections.
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses.
@@ -404,12 +417,7 @@ If you disable this setting or do not configure it, the Properties dialog box fo
> Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -428,28 +436,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -466,7 +480,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete all user remote access connections.
+This policy setting determines whether users can delete all user remote access connections.
To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.
@@ -486,12 +500,7 @@ When enabled, the "Prohibit deletion of remote access connections" setting takes
> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -510,28 +519,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -548,7 +563,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete remote access connections.
+This policy setting determines whether users can delete remote access connections.
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder.
@@ -566,12 +581,7 @@ When enabled, this setting takes precedence over the "Ability to delete all user
> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -590,28 +600,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -628,7 +644,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled.
+This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled.
The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features.
@@ -639,12 +655,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n
If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -663,28 +674,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -701,19 +718,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether or not the "local access only" network icon will be shown.
+This policy setting specifies whether or not the "local access only" network icon will be shown.
When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only.
If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -732,28 +744,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -770,26 +788,20 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators.
+This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators.
The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators.
-By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators.
+By default, Network Connections group settings in Windows do not have the ability to prohibit the use of features from Administrators.
-If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators.
+If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows behave the same for administrators.
+
+If you disable this setting or do not configure it, Windows settings that existed in Windows 2000 will not apply to administrators.
-If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators.
-> [!NOTE]
-> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -808,28 +820,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -846,7 +864,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly.
+This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly.
When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway.
@@ -857,12 +875,7 @@ If you disable this policy setting, traffic between remote client computers runn
If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -881,28 +894,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -919,19 +938,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved.
+This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved.
If you enable this policy setting, this condition will not be reported as an error to the user.
If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -950,28 +964,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -988,7 +1008,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection.
+This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection.
This setting determines whether the Properties button for components of a LAN connection is enabled.
@@ -1010,12 +1030,7 @@ The Local Area Connection Properties dialog box includes a list of the network c
> Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1034,28 +1049,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1072,7 +1093,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can enable/disable LAN connections.
+This policy setting determines whether users can enable/disable LAN connections.
If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu.
@@ -1086,12 +1107,7 @@ If you do not configure this setting, only Administrators and Network Configurat
> Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1110,28 +1126,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1148,7 +1170,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can change the properties of a LAN connection.
+This policy setting determines whether users can change the properties of a LAN connection.
This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users.
@@ -1164,12 +1186,7 @@ If you disable this setting or do not configure it, a Properties menu item appea
> Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1188,28 +1205,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1226,7 +1249,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections.
+This policy setting determines whether users can use the New Connection Wizard, which creates new network connections.
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard.
@@ -1240,12 +1263,7 @@ If you disable this setting or do not configure it, the Make New Connection icon
> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1264,28 +1282,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1302,7 +1326,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network.
+This policy setting prohibits use of Internet Connection Firewall on your DNS domain network.
Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer.
@@ -1318,12 +1342,7 @@ If you enable the "Windows Firewall: Protect all network connections" policy set
If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1342,28 +1361,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1380,7 +1405,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer.
+This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer.
To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.
@@ -1400,12 +1425,7 @@ If you do not configure this setting, only Administrators and Network Configurat
> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1424,28 +1444,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1462,7 +1488,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection.
+This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection.
This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled.
@@ -1474,7 +1500,7 @@ If you disable this setting or do not configure it, the Properties button is ena
The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list.
-> [NOTE]
+> [!NOTE]
> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.
>
> When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked.
@@ -1482,12 +1508,7 @@ The Networking tab of the Remote Access Connection Properties dialog box include
> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1506,28 +1527,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1544,7 +1571,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can connect and disconnect remote access connections.
+This policy setting determines whether users can connect and disconnect remote access connections.
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators).
@@ -1553,12 +1580,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n
If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1577,28 +1599,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1615,7 +1643,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of their private remote access connections.
+This policy setting determines whether users can view and change the properties of their private remote access connections.
Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option.
@@ -1633,12 +1661,7 @@ If you disable this setting or do not configure it, a Properties menu item appea
> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1657,28 +1680,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1695,7 +1724,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename all-user remote access connections.
+This policy setting determines whether nonadministrators can rename all-user remote access connections.
To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.
@@ -1713,12 +1742,7 @@ When the "Ability to rename LAN connections or remote access connections availab
This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1737,28 +1761,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1775,7 +1805,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether users can rename LAN or all user remote access connections.
+This policy setting Determines whether users can rename LAN or all user remote access connections.
If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu.
@@ -1791,12 +1821,7 @@ If this setting is not configured, only Administrators and Network Configuration
> This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1815,28 +1840,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1853,7 +1884,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename a LAN connection.
+This policy setting determines whether nonadministrators can rename a LAN connection.
If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu.
@@ -1867,12 +1898,7 @@ If you do not configure this setting, only Administrators and Network Configurat
When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1891,28 +1917,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1929,7 +1961,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can rename their private remote access connections.
+This policy setting determines whether users can rename their private remote access connections.
Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option.
@@ -1943,12 +1975,7 @@ If you disable this setting or do not configure it, the Rename option is enabled
> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1967,28 +1994,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2005,13 +2038,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.
+This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.
ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network.
If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled.
-If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)
+If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard.
By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS.
@@ -2025,12 +2058,7 @@ Nonadministrators are already prohibited from configuring Internet Connection Sh
Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2049,28 +2077,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2087,7 +2121,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view the status for an active connection.
+This policy setting determines whether users can view the status for an active connection.
Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection.
@@ -2098,12 +2132,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n
If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2122,28 +2151,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2160,19 +2195,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether to require domain users to elevate when setting a network's location.
+This policy setting determines whether to require domain users to elevate when setting a network's location.
If you enable this policy setting, domain users must elevate when setting a network's location.
If you disable or do not configure this policy setting, domain users can set a network's location without elevating.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2185,6 +2215,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index fa64224da3..27a8bd6ae6 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_OfflineFiles
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -171,28 +175,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -209,7 +219,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline.
+This policy setting makes subfolders available offline whenever their parent folder is made available offline.
This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders.
@@ -218,12 +228,7 @@ If you enable this setting, when you make a folder available offline, all folder
If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -242,28 +247,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -280,7 +291,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer.
+This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer.
If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
@@ -292,12 +303,7 @@ If you do not configure this policy setting, no files or folders are made availa
> This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -316,28 +322,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -354,7 +366,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer.
+This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer.
If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
@@ -366,12 +378,7 @@ If you do not configure this policy setting, no files or folders are made availa
> This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -390,28 +397,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -428,7 +441,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting.
+This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting.
If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis.
@@ -437,12 +450,7 @@ You can also configure Background Sync for network shares that are in user selec
If you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -461,28 +469,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -499,7 +513,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share.
+This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share.
This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it.
@@ -518,12 +532,7 @@ If you enable this setting and specify an auto-cached space limit greater than t
This setting replaces the Default Cache Size setting used by pre-Windows Vista systems.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -542,28 +551,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -580,7 +595,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
+This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -602,12 +617,7 @@ This setting appears in the Computer Configuration and User Configuration folder
Also, see the "Non-default server disconnect actions" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -626,28 +636,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -664,7 +680,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
+This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -686,12 +702,7 @@ This setting appears in the Computer Configuration and User Configuration folder
Also, see the "Non-default server disconnect actions" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -710,28 +721,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -748,7 +765,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files.
+Limits the percentage of the computer's disk space that can be used to store automatically cached offline files.
This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -766,12 +783,7 @@ If you do not configure this setting, disk space for automatically cached files
> To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -790,28 +802,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -828,7 +846,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network.
+This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network.
If you enable this policy setting, Offline Files is enabled and users cannot disable it.
@@ -840,12 +858,7 @@ If you do not configure this policy setting, Offline Files is enabled on Windows
> Changes to this policy setting do not take effect until the affected computer is restarted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -864,28 +877,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -902,7 +921,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are encrypted.
+This policy setting determines whether offline files are encrypted.
Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions.
@@ -917,12 +936,7 @@ If you do not configure this policy setting, encryption of the Offline Files cac
This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon is required for this setting to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -941,28 +955,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -979,7 +999,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log.
+This policy setting determines which events the Offline Files feature records in the event log.
Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record.
@@ -997,12 +1017,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the
> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1021,28 +1036,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1059,7 +1080,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log.
+This policy setting determines which events the Offline Files feature records in the event log.
Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record.
@@ -1077,12 +1098,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the
> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1101,28 +1117,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1139,19 +1161,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline.
+This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline.
If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline.
If you disable or do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1170,28 +1187,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1208,7 +1231,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Lists types of files that cannot be used offline.
+Lists types of files that cannot be used offline.
This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline."
@@ -1220,12 +1243,7 @@ To use this setting, type the file name extension in the "Extensions" box. To ty
> To make changes to this setting effective, you must log off and log on again.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1244,28 +1262,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1282,7 +1306,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
+This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -1304,12 +1328,7 @@ This setting appears in the Computer Configuration and User Configuration folder
Also, see the "Non-default server disconnect actions" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1328,28 +1347,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1366,7 +1391,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
+This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -1388,12 +1413,7 @@ This setting appears in the Computer Configuration and User Configuration folder
Also, see the "Non-default server disconnect actions" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1412,28 +1432,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1450,7 +1476,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder.
+This policy setting disables the Offline Files folder.
This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location.
@@ -1462,12 +1488,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1486,28 +1507,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1524,7 +1551,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder.
+This policy setting disables the Offline Files folder.
This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location.
@@ -1536,12 +1563,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1560,28 +1582,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1598,7 +1626,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files.
+This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files.
This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box.
@@ -1610,12 +1638,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1634,28 +1657,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1672,7 +1701,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files.
+This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files.
This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box.
@@ -1684,12 +1713,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1708,28 +1732,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1746,7 +1776,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline.
+This policy setting prevents users from making network files and folders available offline.
If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching.
@@ -1757,12 +1787,7 @@ If you disable or do not configure this policy setting, users can manually speci
> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1781,28 +1806,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1819,7 +1850,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline.
+This policy setting prevents users from making network files and folders available offline.
If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching.
@@ -1830,12 +1861,7 @@ If you disable or do not configure this policy setting, users can manually speci
> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1854,28 +1880,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1892,7 +1924,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.
+This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.
If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
@@ -1907,12 +1939,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman
> - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1931,28 +1958,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1969,7 +2002,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.
+This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.
If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
@@ -1984,12 +2017,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman
> - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2008,28 +2036,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2046,7 +2080,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting.
+Hides or displays reminder balloons, and prevents users from changing the setting.
Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.
@@ -2064,12 +2098,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2088,28 +2117,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2126,7 +2161,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting.
+Hides or displays reminder balloons, and prevents users from changing the setting.
Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.
@@ -2144,12 +2179,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2168,28 +2198,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2206,7 +2242,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links.
+This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links.
The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads.
@@ -2217,12 +2253,7 @@ If you enable this policy setting, transparent caching is enabled and configurab
If you disable or do not configure this policy setting, remote files will be not be transparently cached on client computers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2241,28 +2272,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2279,7 +2316,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline.
+This policy setting makes subfolders available offline whenever their parent folder is made available offline.
This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders.
@@ -2288,12 +2325,7 @@ If you enable this setting, when you make a folder available offline, all folder
If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2312,28 +2344,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2350,7 +2388,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting deletes local copies of the user's offline files when the user logs off.
+This policy setting deletes local copies of the user's offline files when the user logs off.
This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files.
@@ -2360,12 +2398,7 @@ If you disable this setting or do not configure it, automatically and manually c
> Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2384,28 +2417,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2422,19 +2461,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on economical application of administratively assigned Offline Files.
+This policy setting allows you to turn on economical application of administratively assigned Offline Files.
If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later.
If you disable this policy setting, all administratively assigned folders are synchronized at logon.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2453,28 +2487,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2491,7 +2531,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear.
+This policy setting determines how often reminder balloon updates appear.
If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
@@ -2503,12 +2543,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2527,28 +2562,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2565,7 +2606,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear.
+This policy setting determines how often reminder balloon updates appear.
If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
@@ -2577,12 +2618,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2601,28 +2637,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2639,19 +2681,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed.
+This policy setting determines how long the first reminder balloon for a network status change is displayed.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2670,28 +2707,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2708,19 +2751,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed.
+This policy setting determines how long the first reminder balloon for a network status change is displayed.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2739,28 +2777,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2777,19 +2821,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed.
+This policy setting determines how long updated reminder balloons are displayed.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2808,28 +2847,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2846,19 +2891,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed.
+This policy setting determines how long updated reminder balloons are displayed.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2877,28 +2917,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2915,7 +2961,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline.
+This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline.
If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter.
@@ -2932,12 +2978,7 @@ In Windows 8 or Windows Server 2012, set the Latency threshold to 1ms to keep us
If you disable this policy setting, computers will not use the slow-link mode.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2956,28 +2997,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2994,7 +3041,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow.
+This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow.
When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected.
@@ -3006,12 +3053,6 @@ If this setting is disabled or not configured, the default threshold value of 64
> Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3030,28 +3071,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3068,7 +3115,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off.
+This policy setting determines whether offline files are fully synchronized when users log off.
This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -3084,12 +3131,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3108,28 +3150,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3146,7 +3194,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off.
+This policy setting determines whether offline files are fully synchronized when users log off.
This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -3162,12 +3210,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3186,28 +3229,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3224,7 +3273,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on.
+This policy setting determines whether offline files are fully synchronized when users log on.
This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -3240,12 +3289,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3266,28 +3310,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3304,7 +3354,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on.
+This policy setting determines whether offline files are fully synchronized when users log on.
This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -3320,12 +3370,7 @@ This setting appears in the Computer Configuration and User Configuration folder
> To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3344,28 +3389,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3382,7 +3433,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended.
+This policy setting determines whether offline files are synchronized before a computer is suspended.
If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version.
@@ -3392,12 +3443,7 @@ If you disable or do not configuring this setting, files are not synchronized wh
> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3416,28 +3462,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3454,7 +3506,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended.
+This policy setting determines whether offline files are synchronized before a computer is suspended.
If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version.
@@ -3464,12 +3516,7 @@ If you disable or do not configuring this setting, files are not synchronized wh
> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3488,28 +3535,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3526,19 +3579,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans.
+This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans.
If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans.
If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3557,28 +3605,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3595,19 +3649,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
+This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
If you enable this policy setting, the "Work offline" command is not displayed in File Explorer.
If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3626,28 +3675,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3664,19 +3719,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
+This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
If you enable this policy setting, the "Work offline" command is not displayed in File Explorer.
If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3689,8 +3739,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md
new file mode 100644
index 0000000000..1ec34c4edd
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-pca.md
@@ -0,0 +1,539 @@
+---
+title: Policy CSP - ADMX_pca
+description: Policy CSP - ADMX_pca
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.date: 09/20/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_pca
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_pca policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility.
+
+- If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website.
+- If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers.
+
+If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues.
+
+> [!NOTE]
+> This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled.
+
+The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Detect compatibility issues for applications and drivers*
+- GP name: *DetectDeprecatedCOMComponentFailuresPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics*
+- GP ADMX file name: *pca.admx*
+
+
+
+
+
+**ADMX_pca/DetectDeprecatedComponentFailuresPolicy**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This setting exists only for backward compatibility, and is not valid for this version of Windows.
+
+To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative
+Templates\Windows Components\Application Compatibility.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Detect application install failures*
+- GP name: *DetectDeprecatedComponentFailuresPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics*
+- GP ADMX file name: *pca.admx*
+
+
+
+
+
+
+**ADMX_pca/DetectInstallFailuresPolicy**
+
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Detect applications unable to launch installers under UAC*
+- GP name: *DetectInstallFailuresPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics*
+- GP ADMX file name: *pca.admx*
+
+
+
+
+
+**ADMX_pca/DetectUndetectedInstallersPolicy**
+
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Detect application failures caused by deprecated Windows DLLs*
+- GP name: *DetectUndetectedInstallersPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics*
+- GP ADMX file name: *pca.admx*
+
+
+
+
+
+**ADMX_pca/DetectUpdateFailuresPolicy**
+
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This setting exists only for backward compatibility, and is not valid for this version of Windows.
+To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Detect application failures caused by deprecated COM objects*
+- GP name: *DetectUpdateFailuresPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics*
+- GP ADMX file name: *pca.admx*
+
+
+
+
+
+**ADMX_pca/DisablePcaUIPolicy**
+
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This setting exists only for backward compatibility, and is not valid for this version of Windows.
+To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Detect application installers that need to be run as administrator*
+- GP name: *DisablePcaUIPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics*
+- GP ADMX file name: *pca.admx*
+
+
+
+
+
+**ADMX_pca/DetectBlockedDriversPolicy**
+
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This setting exists only for backward compatibility, and is not valid for this version of Windows.
+To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Notify blocked drivers*
+- GP name: *DetectBlockedDriversPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics*
+- GP ADMX file name: *pca.admx*
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
index 790bed78ed..e3e5caf8a1 100644
--- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
+++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_PeerToPeerCaching
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -59,28 +63,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -97,7 +107,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings:
+This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings:
- Set BranchCache Distributed Cache mode
- Set BranchCache Hosted Cache mode
@@ -115,12 +125,7 @@ Select one of the following:
> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -139,28 +144,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -177,7 +188,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
+This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office.
@@ -193,12 +204,7 @@ Select one of the following:
> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -217,28 +223,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -255,7 +267,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
+This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office.
@@ -277,12 +289,7 @@ Hosted cache clients must trust the server certificate that is issued to the hos
> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -301,28 +308,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -339,7 +352,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
+This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy.
@@ -364,12 +377,7 @@ Select one of the following:
- Disabled. With this selection, this policy is not applied to client computers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -388,28 +396,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -426,7 +440,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office.
+This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office.
If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting.
@@ -447,12 +461,7 @@ In circumstances where this setting is enabled, you can also select and configur
- Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -471,28 +480,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -509,7 +524,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers.
+This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers.
Policy configuration
@@ -524,12 +539,7 @@ In circumstances where this policy setting is enabled, you can also select and c
- Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -548,28 +558,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -586,7 +602,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers.
+This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers.
If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache.
@@ -608,12 +624,7 @@ In circumstances where this setting is enabled, you can also select and configur
> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -632,28 +643,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -670,7 +687,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers.
+This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers.
If you enable this policy setting, you can configure the age for segments in the data cache.
@@ -689,12 +706,7 @@ In circumstances where this setting is enabled, you can also select and configur
- Specify the age in days for which segments in the data cache are valid.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -713,28 +725,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -751,7 +769,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats.
+This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats.
If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions."
@@ -773,12 +791,7 @@ Select from the following versions
- Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -791,7 +804,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md
new file mode 100644
index 0000000000..83f6c2e71a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md
@@ -0,0 +1,181 @@
+---
+title: Policy CSP - ADMX_PenTraining
+description: Policy CSP - ADMX_PenTraining
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/22/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_PenTraining
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_PenTraining policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Turns off Tablet PC Pen Training.
+
+- If you enable this policy setting, users cannot open Tablet PC Pen Training.
+
+- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Tablet PC Pen Training*
+- GP name: *PenTrainingOff_1*
+- GP path: *Windows Components\Tablet PC\Tablet PC Pen Training*
+- GP ADMX file name: *PenTraining.admx*
+
+
+
+
+
+
+**ADMX_PenTraining/PenTrainingOff_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Turns off Tablet PC Pen Training.
+
+- If you enable this policy setting, users cannot open Tablet PC Pen Training.
+
+- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Tablet PC Pen Training*
+- GP name: *PenTrainingOff_2*
+- GP path: *Windows Components\Tablet PC\Tablet PC Pen Training*
+- GP ADMX file name: *PenTraining.admx*
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
index cd77c701e3..c0586ccf19 100644
--- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
+++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_PerformanceDiagnostics
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -83,7 +93,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Boot Performance Diagnostics.
+This policy setting determines the execution level for Windows Boot Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available.
@@ -98,12 +108,7 @@ No system restart or service restart is required for this policy to take effect:
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -122,28 +127,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -160,7 +171,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics.
+Determines the execution level for Windows Standby/Resume Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
@@ -175,12 +186,7 @@ No system restart or service restart is required for this policy to take effect:
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -199,28 +205,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -237,7 +249,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics.
+This policy setting determines the execution level for Windows Shutdown Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available.
@@ -252,12 +264,7 @@ No system restart or service restart is required for this policy to take effect:
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -276,28 +283,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -314,7 +327,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics.
+Determines the execution level for Windows Standby/Resume Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
@@ -329,12 +342,7 @@ No system restart or service restart is required for this policy to take effect:
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -347,8 +355,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md
index 17087dd1d9..46c9adf221 100644
--- a/windows/client-management/mdm/policy-csp-admx-power.md
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Power
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -108,28 +112,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -146,7 +156,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.
+This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.
If you enable this policy setting, network connectivity will be maintained in standby.
@@ -155,12 +165,7 @@ If you disable this policy setting, network connectivity in standby is not guara
If you do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -179,28 +184,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -217,19 +228,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
+This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
If you disable or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -248,28 +254,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -286,7 +298,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.
+This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.
If you enable this policy setting, select one of the following actions:
@@ -297,12 +309,7 @@ If you enable this policy setting, select one of the following actions:
If you disable this policy or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -321,28 +328,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -359,19 +372,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep.
+This policy setting allows applications and services to prevent automatic sleep.
If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity.
If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -390,28 +398,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -428,19 +442,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep.
+This policy setting allows applications and services to prevent automatic sleep.
If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity.
If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -459,28 +468,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -497,19 +512,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files.
+This policy setting allows you to manage automatic sleep with open network files.
If you enable this policy setting, the computer automatically sleeps when network files are open.
If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -528,28 +538,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -566,19 +582,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files.
+This policy setting allows you to manage automatic sleep with open network files.
If you enable this policy setting, the computer automatically sleeps when network files are open.
If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -597,28 +608,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -635,19 +652,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool.
+This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool.
If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active.
If you disable or do not configure this policy setting, users can see and change this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -666,28 +678,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -704,7 +722,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level.
+This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level.
If you enable this policy setting, select one of the following actions:
@@ -716,12 +734,7 @@ If you enable this policy setting, select one of the following actions:
If you disable or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -740,28 +753,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -778,7 +797,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level.
+This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level.
If you enable this policy setting, select one of the following actions:
@@ -790,12 +809,7 @@ If you enable this policy setting, select one of the following actions:
If you disable or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -814,28 +828,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -852,7 +872,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action.
+This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action.
If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification.
@@ -861,12 +881,7 @@ To set the action that is triggered, see the "Critical Battery Notification Acti
If you disable this policy setting or do not configure it, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -885,28 +900,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -923,7 +944,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level.
+This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level.
If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level.
@@ -934,12 +955,7 @@ The notification will only be shown if the "Low Battery Notification Action" pol
If you disable or do not configure this policy setting, users can control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -958,28 +974,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -996,7 +1018,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action.
+This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action.
If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification.
@@ -1005,12 +1027,7 @@ To set the action that is triggered, see the "Low Battery Notification Action" p
If you disable this policy setting or do not configure it, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1029,28 +1046,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1067,7 +1090,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.
+This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.
If you enable this policy setting, network connectivity will be maintained in standby.
@@ -1076,12 +1099,7 @@ If you disable this policy setting, network connectivity in standby is not guara
If you do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1100,28 +1118,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1138,19 +1162,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
+This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
If you disable or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1169,28 +1188,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1207,7 +1232,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.
+This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.
If you enable this policy setting, select one of the following actions:
@@ -1218,12 +1243,7 @@ If you enable this policy setting, select one of the following actions:
If you disable this policy or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1242,28 +1262,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1280,19 +1306,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk.
+This policy setting specifies the period of inactivity before Windows turns off the hard disk.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk.
If you disable or do not configure this policy setting, users can see and change this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1311,28 +1332,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1349,19 +1376,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk.
+This policy setting specifies the period of inactivity before Windows turns off the hard disk.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk.
If you disable or do not configure this policy setting, users can see and change this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1380,28 +1402,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1418,7 +1446,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes.
+This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes.
This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces.
@@ -1431,12 +1459,7 @@ If you enable this policy setting, the computer system safely shuts down and rem
If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1455,28 +1478,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1493,7 +1522,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow.
+This policy setting allows you to specify if Windows should enable the desktop background slideshow.
If you enable this policy setting, desktop background slideshow is enabled.
@@ -1502,12 +1531,7 @@ If you disable this policy setting, the desktop background slideshow is disabled
If you disable or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1526,28 +1550,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1564,7 +1594,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow.
+This policy setting allows you to specify if Windows should enable the desktop background slideshow.
If you enable this policy setting, desktop background slideshow is enabled.
@@ -1573,12 +1603,7 @@ If you disable this policy setting, the desktop background slideshow is disabled
If you disable or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1597,28 +1622,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1635,19 +1666,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting.
+This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting.
If you enable this policy setting, specify a power plan from the Active Power Plan list.
If you disable or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1666,28 +1692,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1704,19 +1736,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state.
+This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state.
If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state.
If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1735,28 +1762,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1773,19 +1806,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Power Throttling.
+This policy setting allows you to turn off Power Throttling.
If you enable this policy setting, Power Throttling will be turned off.
If you disable or do not configure this policy setting, users control this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1804,28 +1832,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1842,19 +1876,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode.
+This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode.
If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification.
If you disable or do not configure this policy setting, users can see and change this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1867,7 +1896,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
index dff726a8e8..d2d7e0d5b4 100644
--- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_PowerShellExecutionPolicy
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -84,7 +94,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging for Windows PowerShell modules.
+This policy setting allows you to turn on logging for Windows PowerShell modules.
If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True.
@@ -96,12 +106,7 @@ To add modules and snap-ins to the policy setting list, click Show, and then typ
> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -120,28 +125,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -159,7 +170,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.
+This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.
If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.
@@ -171,12 +182,7 @@ If you disable this policy setting, no scripts are allowed to run.
> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -195,28 +201,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -234,7 +246,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
+This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session.
@@ -246,12 +258,7 @@ If you use the OutputDirectory setting to enable transcript logging to a shared
> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -270,28 +277,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -309,7 +322,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.
+This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.
If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet.
@@ -319,12 +332,7 @@ If this policy setting is disabled or not configured, this policy setting does n
> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -337,7 +345,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md
new file mode 100644
index 0000000000..64a89c8ccf
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md
@@ -0,0 +1,646 @@
+---
+title: Policy CSP - ADMX_PreviousVersions
+description: Policy CSP - ADMX_PreviousVersions
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_PreviousVersions
+
+
+
+
+## ADMX_PreviousVersions policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file.
+
+- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file.
+
+- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file.
+
+- If the user clicks the Restore button, Windows attempts to restore the file from the local disk.
+
+- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Prevent restoring local previous versions*
+- GP name: *DisableLocalPage_1*
+- GP path: *Windows Components\File Explorer\Previous Versions*
+- GP ADMX file name: *PreviousVersions.admx*
+
+
+
+
+
+
+**ADMX_PreviousVersions/DisableLocalPage_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file.
+
+- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file.
+
+- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file.
+
+- If the user clicks the Restore button, Windows attempts to restore the file from the local disk.
+
+- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Prevent restoring local previous versions*
+- GP name: *DisableLocalPage_2*
+- GP path: *Windows Components\File Explorer\Previous Versions*
+- GP ADMX file name: *PreviousVersions.admx*
+
+
+
+
+
+
+**ADMX_PreviousVersions/DisableRemotePage_1**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share.
+
+- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
+
+- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
+
+- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
+
+- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Prevent restoring remote previous versions*
+- GP name: *DisableRemotePage_1*
+- GP path: *Windows Components\File Explorer\Previous Versions*
+- GP ADMX file name: *PreviousVersions.admx*
+
+
+
+
+
+
+**ADMX_PreviousVersions/DisableRemotePage_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share.
+
+- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
+
+- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
+
+- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
+
+- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Prevent restoring remote previous versions*
+- GP name: *DisableRemotePage_1*
+- GP path: *Windows Components\File Explorer\Previous Versions*
+- GP ADMX file name: *PreviousVersions.admx*
+
+
+
+
+
+
+
+**ADMX_PreviousVersions/HideBackupEntries_1**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media.
+
+- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points.
+
+- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points.
+
+If you do not configure this policy setting, it is disabled by default.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Hide previous versions of files on backup location*
+- GP name: *HideBackupEntries_1*
+- GP path: *Windows Components\File Explorer\Previous Versions*
+- GP ADMX file name: *PreviousVersions.admx*
+
+
+
+
+
+
+**ADMX_PreviousVersions/HideBackupEntries_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media.
+
+- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points.
+
+- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points.
+
+If you do not configure this policy setting, it is disabled by default.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Hide previous versions of files on backup location*
+- GP name: *HideBackupEntries_2*
+- GP path: *Windows Components\File Explorer\Previous Versions*
+- GP ADMX file name: *PreviousVersions.admx*
+
+
+
+
+
+
+**ADMX_PreviousVersions/DisableLocalRestore_1**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share.
+
+- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
+
+- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
+
+- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
+
+- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Prevent restoring remote previous versions*
+- GP name: *DisableLocalRestore_1*
+- GP path: *Windows Components\File Explorer\Previous Versions*
+- GP ADMX file name: *PreviousVersions.admx*
+
+
+
+
+
+
+**ADMX_PreviousVersions/DisableLocalRestore_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share.
+
+- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
+
+- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
+
+- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
+
+- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Prevent restoring remote previous versions*
+- GP name: *DisableLocalRestore_2*
+- GP path: *Windows Components\File Explorer\Previous Versions*
+- GP ADMX file name: *PreviousVersions.admx*
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md
index 2376b4480e..fe3a0db756 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Printing
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -112,28 +116,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -150,7 +160,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet.
+Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet.
If you enable this policy setting, Internet printing is activated on this server.
@@ -164,12 +174,7 @@ Internet printing is an extension of Internet Information Services (IIS). To use
Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -188,28 +193,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -226,7 +237,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.
+Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.
Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it.
@@ -240,12 +251,7 @@ If you disable this policy setting, then print drivers will be loaded within all
> - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -264,28 +270,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -302,7 +314,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer.
+By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer.
If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise.
@@ -316,12 +328,7 @@ Also, see the "Activate Internet printing" setting in this setting folder and th
Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -340,28 +347,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -378,7 +391,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage where client computers search for Point and Printer drivers.
+This policy setting allows you to manage where client computers search for Point and Printer drivers.
If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache.
@@ -386,15 +399,9 @@ If you disable this policy setting, the client computer will only search the loc
This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using.
-By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -413,28 +420,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -451,7 +464,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.)
+If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.)
If this policy setting is disabled, the network scan page will not be displayed.
@@ -472,12 +485,7 @@ In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you
In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -496,28 +504,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -534,7 +548,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Allows users to use the Add Printer Wizard to search the network for shared printers.
+Allows users to use the Add Printer Wizard to search the network for shared printers.
If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list.
@@ -544,12 +558,7 @@ If you disable this setting, the network printer browse page is removed from wit
> This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -568,28 +577,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -606,7 +621,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work.
+When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work.
This policy setting only effects printing to a Windows print server.
@@ -624,12 +639,7 @@ If you do not enable this policy setting, the behavior is the same as disabling
> In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -648,28 +658,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -686,17 +702,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages.
+Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages.
This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -715,28 +726,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -753,7 +770,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Adds a link to an Internet or intranet Web page to the Add Printer Wizard.
+Adds a link to an Internet or intranet Web page to the Add Printer Wizard.
You can use this setting to direct users to a Web page from which they can install printers.
@@ -764,12 +781,7 @@ This setting makes it easy for users to find the printers you want them to add.
Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -788,28 +800,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -826,24 +844,18 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors.
+Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors.
-If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional.
If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked.
If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed.
> [!NOTE]
-> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue.
+> This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -862,28 +874,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -900,7 +918,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This preference allows you to change default printer management.
+This preference allows you to change default printer management.
If you enable this setting, Windows will not manage the default printer.
@@ -909,12 +927,7 @@ If you disable this setting, Windows will manage the default printer.
If you do not configure this setting, default printer management will not change.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -933,28 +946,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -971,19 +990,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019.
+Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019.
If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps).
If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1002,28 +1016,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1040,7 +1060,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it prevents users from deleting local and network printers.
+If this policy setting is enabled, it prevents users from deleting local and network printers.
If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action.
@@ -1049,12 +1069,7 @@ This setting does not prevent users from running other programs to delete a prin
If this policy is disabled, or not configured, users can delete printers using the methods described above.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1073,28 +1088,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1111,7 +1132,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.)
+This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.)
If this setting is disabled, the network scan page will not be displayed.
@@ -1129,12 +1150,7 @@ In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you
In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1153,28 +1169,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1191,19 +1213,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only.
+This policy restricts clients computers to use package point and print only.
If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers.
If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1222,28 +1239,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1260,19 +1283,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only.
+This policy restricts clients computers to use package point and print only.
If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers.
If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1291,28 +1309,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1329,7 +1353,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers.
+Restricts package point and print to approved servers.
This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections.
@@ -1340,12 +1364,7 @@ If this setting is enabled, users will only be able to package point and print t
If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1364,28 +1383,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1402,7 +1427,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers.
+Restricts package point and print to approved servers.
This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections.
@@ -1413,12 +1438,7 @@ If this setting is enabled, users will only be able to package point and print t
If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1437,28 +1457,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1475,7 +1501,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it specifies the default location criteria used when searching for printers.
+If this policy setting is enabled, it specifies the default location criteria used when searching for printers.
This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting.
@@ -1486,12 +1512,7 @@ Type the location of the user's computer. When users search for printers, the sy
If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1510,28 +1531,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1548,7 +1575,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Enables the physical Location Tracking setting for Windows printers.
+Enables the physical Location Tracking setting for Windows printers.
Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers.
@@ -1557,12 +1584,7 @@ If you enable this setting, users can browse for printers by location without kn
If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1581,28 +1603,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1619,7 +1647,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail.
+This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail.
If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default.
@@ -1631,12 +1659,7 @@ If you disable this policy setting, the print spooler will execute print drivers
> - This policy setting takes effect without restarting the print spooler service.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1655,28 +1678,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1693,7 +1722,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility.
+This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility.
If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation.
@@ -1705,12 +1734,7 @@ If you disable or do not configure this policy setting, the print spooler uses t
> - This policy setting takes effect without restarting the print spooler service.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1729,28 +1753,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1767,7 +1797,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies the Active Directory location where searches for printers begin.
+Specifies the Active Directory location where searches for printers begin.
The Add Printer Wizard gives users the option of searching Active Directory for a shared printer.
@@ -1776,12 +1806,7 @@ If you enable this policy setting, these searches begin at the location you spec
This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1800,28 +1825,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1838,7 +1869,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain.
+Announces the presence of shared printers to print browse main servers for the domain.
On domains with Active Directory, shared printer resources are available in Active Directory and are not announced.
@@ -1852,12 +1883,7 @@ If you do not configure this setting, shared printers are announced to browse ma
> A client license is used each time a client computer announces a printer to a print browse master on the domain.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1876,28 +1902,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1914,7 +1946,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print job name will be included in print event logs.
+This policy controls whether the print job name will be included in print event logs.
If you disable or do not configure this policy setting, the print job name will not be included.
@@ -1924,12 +1956,7 @@ If you enable this policy setting, the print job name will be included in new lo
> This setting does not apply to Branch Office Direct Printing jobs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1948,28 +1975,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1986,7 +2019,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy determines if v4 printer drivers are allowed to run printer extensions.
+This policy determines if v4 printer drivers are allowed to run printer extensions.
V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises.
@@ -1995,12 +2028,7 @@ If you enable this policy setting, then all printer extensions will not be allow
If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2013,7 +2041,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md
index 55aeef679a..be91226a5a 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing2.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing2.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Printing2
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -60,28 +64,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -98,7 +108,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory.
+Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory.
If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers.
@@ -110,12 +120,7 @@ The default behavior is to automatically publish shared printers in Active Direc
> This setting is ignored if the "Allow printers to be published" setting is disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -134,28 +139,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -172,7 +183,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer.
+Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer.
By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects.
@@ -184,12 +195,7 @@ If you disable this setting, the domain controller does not prune this computer'
> You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -208,28 +214,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -246,7 +258,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest.
+Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest.
The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects.
@@ -265,12 +277,7 @@ You can enable this setting to change the default behavior. To use this setting,
> If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -289,28 +296,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -327,7 +340,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational.
+Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational.
The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published.
@@ -341,12 +354,7 @@ If you do not configure or disable this setting the default values will be used.
> This setting is used only on domain controllers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -365,28 +373,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -403,7 +417,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Sets the priority of the pruning thread.
+Sets the priority of the pruning thread.
The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current.
@@ -415,12 +429,7 @@ By default, the pruning thread runs at normal priority. However, you can adjust
> This setting is used only on domain controllers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -439,28 +448,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -477,7 +492,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers.
+Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers.
The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published.
@@ -491,12 +506,7 @@ If you do not configure or disable this setting, the default values are used.
> This setting is used only on domain controllers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -515,28 +525,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -553,7 +569,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers.
+Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers.
The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory.
@@ -567,12 +583,7 @@ Note: This setting does not affect the logging of pruning events; the actual pru
> This setting is used only on domain controllers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -591,28 +602,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -629,7 +646,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print spooler will accept client connections.
+This policy controls whether the print spooler will accept client connections.
When the policy is not configured or enabled, the spooler will always accept client connections.
@@ -638,12 +655,7 @@ When the policy is disabled, the spooler will not accept client connections nor
The spooler must be restarted for changes to this policy to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -662,28 +674,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -700,7 +718,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification.
+Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification.
By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating.
@@ -709,12 +727,7 @@ To enable this additional verification, enable this setting, and then select a v
To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -727,6 +740,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md
index 269ccd44c0..d6dcf488e4 100644
--- a/windows/client-management/mdm/policy-csp-admx-programs.md
+++ b/windows/client-management/mdm/policy-csp-admx-programs.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Programs
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -54,28 +58,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -92,7 +102,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page.
+This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page.
The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations.
@@ -103,12 +113,7 @@ This setting does not prevent users from using other tools and methods to change
This setting does not prevent the Default Programs icon from appearing on the Start menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -127,28 +132,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -165,7 +176,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network.
+Prevents users from viewing or installing published programs from the network.
This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them.
@@ -179,12 +190,7 @@ If this setting is disabled or is not configured, the "Install a program from th
> If the "Hide Programs Control Panel" setting is enabled, this setting is ignored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -203,28 +209,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -241,7 +253,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task.
+This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task.
"Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers.
@@ -250,12 +262,7 @@ If this setting is disabled or not configured, the "View installed updates" task
This setting does not prevent users from using other tools and methods to install or uninstall programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -274,28 +281,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -312,19 +325,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer.
+This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer.
If this setting is disabled or not configured, "Programs and Features" will be available to all users.
This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -343,28 +351,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -381,7 +395,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View.
+This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View.
The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel.
@@ -392,12 +406,7 @@ When enabled, this setting takes precedence over the other settings in this fold
This setting does not prevent users from using other tools and methods to install or uninstall programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -416,28 +425,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -454,19 +469,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services.
+This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services.
If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users.
This setting does not prevent users from using other tools and methods to configure services or enable or disable program components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -485,28 +495,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -523,7 +539,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs.
+This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs.
Windows Marketplace allows users to purchase and/or download various programs to their computer for installation.
@@ -535,12 +551,7 @@ If this feature is disabled or is not configured, the "Get new programs from Win
> If the "Hide Programs control Panel" setting is enabled, this setting is ignored.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -553,8 +564,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
new file mode 100644
index 0000000000..2dd314e5ca
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
@@ -0,0 +1,103 @@
+---
+title: Policy CSP - ADMX_PushToInstall
+description: Policy CSP - ADMX_PushToInstall
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_PushToInstall
+
+
+
+
+## ADMX_PushToInstall policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Push To Install service*
+- GP name: *DisablePushToInstall*
+- GP path: *Windows Components\Push To Install*
+- GP ADMX file name: *PushToInstall.admx*
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md
new file mode 100644
index 0000000000..f1161f6d53
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-radar.md
@@ -0,0 +1,114 @@
+---
+title: Policy CSP - ADMX_Radar
+description: Policy CSP - ADMX_Radar
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/08/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Radar
+
+
+
+
+## ADMX_Radar policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution.
+
+- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes.
+
+These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available.
+
+- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS.
+
+If you do not configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default.
+This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Scenario Execution Level*
+- GP name: *WdiScenarioExecutionPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution*
+- GP ADMX file name: *Radar.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md
index 917a3bcdc5..d7e4ecc5bc 100644
--- a/windows/client-management/mdm/policy-csp-admx-reliability.md
+++ b/windows/client-management/mdm/policy-csp-admx-reliability.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Reliability
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -83,7 +93,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.
+This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.
If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds.
@@ -95,12 +105,7 @@ If you do not configure this policy setting, the Persistent System Timestamp is
> This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -121,28 +126,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -159,7 +170,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.
+This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.
If you enable this policy setting, error reporting includes unplanned shutdown events.
@@ -170,12 +181,7 @@ If you do not configure this policy setting, users can adjust this setting using
Also see the "Configure Error Reporting" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -196,28 +202,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -234,7 +246,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.
+This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.
The system state data file contains information about the basic system state as well as the state of all running processes.
@@ -244,16 +256,9 @@ If you disable this policy setting, the System State Data feature is never activ
If you do not configure this policy setting, the default behavior for the System State Data feature occurs.
-> [!NOTE]
-> By default, the System State Data feature is always enabled on Windows Server 2003.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -274,28 +279,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -312,7 +323,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer.
+The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer.
If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down.
@@ -328,12 +339,7 @@ If you do not configure this policy setting, the default behavior for the Shutdo
> By default, the Shutdown Event Tracker is only displayed on computers running Windows Server.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -346,8 +352,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
index 485d680915..a6af07f6c6 100644
--- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_RemoteAssistance
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +43,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -77,7 +87,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance.
+This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance.
If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer.
@@ -86,12 +96,7 @@ If you disable this policy setting, computers running this version and a previou
If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -110,28 +115,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -148,7 +159,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to improve performance in low bandwidth scenarios.
+This policy setting allows you to improve performance in low bandwidth scenarios.
This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting.
@@ -173,12 +184,7 @@ If you disable this policy setting, application-based settings are used.
If you do not configure this policy setting, application-based settings are used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -190,7 +196,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are for upcoming release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
index b839eb3de7..da757e7ffe 100644
--- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_RemovableStorage
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -129,28 +133,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -167,7 +177,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.
+This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.
If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot.
@@ -177,12 +187,7 @@ If you disable or do not configure this setting, the operating system does not f
> If no reboot is forced, the access right does not take effect until the operating system is restarted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -201,28 +206,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -239,7 +250,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.
+This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.
If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot.
@@ -249,12 +260,7 @@ If you disable or do not configure this setting, the operating system does not f
> If no reboot is forced, the access right does not take effect until the operating system is restarted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -273,28 +279,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -311,19 +323,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the CD and DVD removable storage class.
+This policy setting denies execute access to the CD and DVD removable storage class.
If you enable this policy setting, execute access is denied to this removable storage class.
If you disable or do not configure this policy setting, execute access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -342,28 +349,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -380,18 +393,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class.
+This policy setting denies read access to the CD and DVD removable storage class.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -410,28 +418,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -448,19 +462,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class.
+This policy setting denies read access to the CD and DVD removable storage class.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -479,28 +488,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -517,19 +532,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class.
+This policy setting denies write access to the CD and DVD removable storage class.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -548,28 +558,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -586,19 +602,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class.
+This policy setting denies write access to the CD and DVD removable storage class.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -617,28 +628,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -655,19 +672,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes.
+This policy setting denies read access to custom removable storage classes.
If you enable this policy setting, read access is denied to these removable storage classes.
If you disable or do not configure this policy setting, read access is allowed to these removable storage classes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -686,28 +698,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -724,19 +742,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes.
+This policy setting denies read access to custom removable storage classes.
If you enable this policy setting, read access is denied to these removable storage classes.
If you disable or do not configure this policy setting, read access is allowed to these removable storage classes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -755,28 +768,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -793,19 +812,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes.
+This policy setting denies write access to custom removable storage classes.
If you enable this policy setting, write access is denied to these removable storage classes.
If you disable or do not configure this policy setting, write access is allowed to these removable storage classes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -823,28 +837,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -861,19 +881,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes.
+This policy setting denies write access to custom removable storage classes.
If you enable this policy setting, write access is denied to these removable storage classes.
If you disable or do not configure this policy setting, write access is allowed to these removable storage classes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -891,28 +906,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -929,19 +950,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives.
+This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives.
If you enable this policy setting, execute access is denied to this removable storage class.
If you disable or do not configure this policy setting, execute access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -959,28 +975,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -997,19 +1019,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives.
+This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1027,28 +1044,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1065,19 +1088,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives.
+This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1095,28 +1113,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1133,18 +1157,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives.
+This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1162,28 +1181,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1200,19 +1225,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives.
+This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1230,28 +1250,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1268,18 +1294,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to removable disks.
+This policy setting denies execute access to removable disks.
If you enable this policy setting, execute access is denied to this removable storage class.
If you disable or do not configure this policy setting, execute access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1297,28 +1318,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1335,19 +1362,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks.
+This policy setting denies read access to removable disks.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1365,28 +1387,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1403,18 +1431,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks.
+This policy setting denies read access to removable disks.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1432,28 +1455,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1470,7 +1499,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks.
+This policy setting denies write access to removable disks.
If you enable this policy setting, write access is denied to this removable storage class.
@@ -1480,12 +1509,7 @@ If you disable or do not configure this policy setting, write access is allowed
> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1503,28 +1527,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1541,7 +1571,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes.
+Configure access to all removable storage classes.
This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.
@@ -1550,12 +1580,7 @@ If you enable this policy setting, no access is allowed to any removable storage
If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1573,28 +1598,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1611,7 +1642,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes.
+Configure access to all removable storage classes.
This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.
@@ -1620,12 +1651,7 @@ If you enable this policy setting, no access is allowed to any removable storage
If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1643,28 +1669,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1681,19 +1713,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting grants normal users direct access to removable storage devices in remote sessions.
+This policy setting grants normal users direct access to removable storage devices in remote sessions.
If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions.
If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1711,28 +1738,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1749,19 +1782,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Tape Drive removable storage class.
+This policy setting denies execute access to the Tape Drive removable storage class.
If you enable this policy setting, execute access is denied to this removable storage class.
If you disable or do not configure this policy setting, execute access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1779,28 +1807,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1817,18 +1851,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class.
+This policy setting denies read access to the Tape Drive removable storage class.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1846,28 +1875,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1884,19 +1919,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class.
+This policy setting denies read access to the Tape Drive removable storage class.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1914,28 +1944,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1952,18 +1988,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class.
+This policy setting denies write access to the Tape Drive removable storage class.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1981,28 +2012,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2019,19 +2056,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class.
+This policy setting denies write access to the Tape Drive removable storage class.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2049,28 +2081,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2087,19 +2125,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
+This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2117,28 +2150,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2155,18 +2194,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
+This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2184,28 +2218,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2222,19 +2262,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
+This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2252,28 +2287,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2290,19 +2331,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
+This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2314,7 +2350,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md
index c999d05318..133c1cce4d 100644
--- a/windows/client-management/mdm/policy-csp-admx-rpc.md
+++ b/windows/client-management/mdm/policy-csp-admx-rpc.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_RPC
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -83,7 +93,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC runtime generates extended error information when an error occurs.
+This policy setting controls whether the RPC runtime generates extended error information when an error occurs.
Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs).
@@ -110,12 +120,6 @@ You must select an error response type in the drop-down box.
> This policy setting will not be applied until the system is rebooted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -134,28 +138,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -172,7 +182,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested.
+This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested.
The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation.
@@ -190,12 +200,7 @@ If you enable this policy setting, then:
> This policy setting will not be applied until the system is rebooted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -215,28 +220,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -253,7 +264,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the idle connection timeout for RPC/HTTP connections.
+This policy setting controls the idle connection timeout for RPC/HTTP connections.
This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout.
@@ -271,12 +282,7 @@ If you enable this policy setting, and the IIS server running the RPC HTTP proxy
> This policy setting will not be applied until the system is rebooted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -295,28 +301,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -333,7 +345,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems.
+This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems.
If you disable this policy setting, the RPC runtime defaults to "Auto2" level.
@@ -357,12 +369,6 @@ If you enable this policy setting, you can use the drop-down box to determine wh
> This policy setting will not be applied until the system is rebooted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -375,8 +381,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md
index c28841c0c5..101d934f48 100644
--- a/windows/client-management/mdm/policy-csp-admx-scripts.md
+++ b/windows/client-management/mdm/policy-csp-admx-scripts.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Scripts
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -69,28 +73,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -107,19 +117,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
+This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured.
If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -138,28 +143,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -176,7 +187,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the system waits for scripts applied by Group Policy to run.
+This policy setting determines how long the system waits for scripts applied by Group Policy to run.
This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.
@@ -189,12 +200,7 @@ An excessively long interval can delay the system and inconvenience users. Howev
If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -213,28 +219,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -251,7 +263,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
+This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown.
@@ -281,12 +293,7 @@ Within GPO C: C.cmd, C.ps1
> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -305,28 +312,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -343,23 +356,18 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier.
+This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier.
-Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000.
+Logon scripts are batch files of instructions that run when the user logs on. By default, Windows displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows.
-If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier.
+If you enable this setting, Windows does not display logon scripts written for Windows NT 4.0 and earlier.
-If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.
+If you disable or do not configure this policy setting, Windows displays login scripts written for Windows NT 4.0 and earlier.
Also, see the "Run Logon Scripts Visible" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -378,28 +386,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -416,7 +430,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logoff scripts as they run.
+This policy setting displays the instructions in logoff scripts as they run.
Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script.
@@ -425,12 +439,7 @@ If you enable this policy setting, the system displays each instruction in the l
If you disable or do not configure this policy setting, the instructions are suppressed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -449,28 +458,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -487,7 +502,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
+This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
@@ -496,12 +511,7 @@ If you disable or do not configure this policy setting, the logon scripts and Fi
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -520,28 +530,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -558,7 +574,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
+This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
@@ -567,12 +583,7 @@ If you disable or do not configure this policy setting, the logon scripts and Fi
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -591,28 +602,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -629,7 +646,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logon scripts as they run.
+This policy setting displays the instructions in logon scripts as they run.
Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts.
@@ -638,12 +655,7 @@ If you enable this policy setting, the system displays each instruction in the l
If you disable or do not configure this policy setting, the instructions are suppressed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -662,28 +674,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -700,7 +718,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in shutdown scripts as they run.
+This policy setting displays the instructions in shutdown scripts as they run.
Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.
@@ -709,12 +727,7 @@ If you enable this policy setting, the system displays each instruction in the s
If you disable or do not configure this policy setting, the instructions are suppressed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -733,28 +746,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -771,7 +790,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets the system run startup scripts simultaneously.
+This policy setting lets the system run startup scripts simultaneously.
Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.
@@ -783,12 +802,7 @@ If you disable or do not configure this policy setting, a startup cannot run unt
> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -807,28 +821,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -845,7 +865,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in startup scripts as they run.
+This policy setting displays the instructions in startup scripts as they run.
Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.
@@ -857,12 +877,7 @@ If you disable or do not configure this policy setting, the instructions are sup
> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -881,28 +896,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -920,7 +941,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
+This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff.
@@ -952,12 +973,7 @@ Within GPO C: C.cmd, C.ps1
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -970,8 +986,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
index e7a0beefc6..e0423f69bb 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_sdiageng
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,28 +46,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -80,19 +90,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?"
+This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?"
If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface.
If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows Online Troubleshooting Service.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -111,28 +116,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -149,7 +160,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.
+This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.
If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.
@@ -158,12 +169,7 @@ If you disable this policy setting, users cannot access or run the troubleshooti
Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -182,28 +188,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -220,19 +232,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.
+This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.
If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers.
If you disable or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -245,7 +252,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
new file mode 100644
index 0000000000..f19401826c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
@@ -0,0 +1,114 @@
+---
+title: Policy CSP - ADMX_sdiagschd
+description: Policy CSP - ADMX_sdiagschd
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/17/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_sdiagschd
+
+
+
+
+## ADMX_sdiagschd policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy determines whether scheduled diagnostics will run to proactively detect and resolve system problems.
+
+- If you enable this policy setting, you must choose an execution level.
+
+If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution.
+If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input.
+
+- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis.
+
+If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Scheduled Maintenance Behavior*
+- GP name: *ScheduledDiagnosticsExecutionPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Scheduled Maintenance*
+- GP ADMX file name: *sdiagschd.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
index 7c06bd2059..20f174f66a 100644
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Securitycenter
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +40,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -74,7 +84,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed.
+ This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed.
Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect.
@@ -84,21 +94,9 @@ If you enable this policy setting, Security Center is turned on for all users.
If you disable this policy setting, Security Center is turned off for domain members.
-**Windows XP SP2**
-
-In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers.
-
-**Windows Vista**
-
-In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -111,8 +109,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md
index 47b29235a9..1287743ed4 100644
--- a/windows/client-management/mdm/policy-csp-admx-sensors.md
+++ b/windows/client-management/mdm/policy-csp-admx-sensors.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Sensors
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -48,28 +52,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -86,19 +96,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature.
+This policy setting turns off scripting for the location feature.
If you enable this policy setting, scripts for the location feature will not run.
If you disable or do not configure this policy setting, all location scripts will run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -117,28 +122,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -155,19 +166,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature.
+This policy setting turns off scripting for the location feature.
If you enable this policy setting, scripts for the location feature will not run.
If you disable or do not configure this policy setting, all location scripts will run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -186,28 +192,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -224,19 +236,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the location feature for this computer.
+This policy setting turns off the location feature for this computer.
If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature.
If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -255,28 +262,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -293,19 +306,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer.
+This policy setting turns off the sensor feature for this computer.
If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature.
If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -324,28 +332,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -362,19 +376,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer.
+This policy setting turns off the sensor feature for this computer.
If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature.
If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -387,7 +396,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md
new file mode 100644
index 0000000000..2bdd21ec6f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md
@@ -0,0 +1,341 @@
+---
+title: Policy CSP - ADMX_ServerManager
+description: Policy CSP - ADMX_ServerManager
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/18/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_ServerManager
+
+
+
+
+## ADMX_ServerManager policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows you to turn off the automatic display of Server Manager at logon.
+
+- If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server.
+
+- If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server.
+
+If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console is not displayed automatically at logon.
+
+> [!NOTE]
+> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not display Server Manager automatically at logon*
+- GP name: *Do_not_display_Manage_Your_Server_page*
+- GP path: *System\Server Manager*
+- GP ADMX file name: *ServerManager.admx*
+
+
+
+
+
+
+
+**ADMX_ServerManager/ServerManagerAutoRefreshRate**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers.
+
+- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console.
+
+- If you disable this policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console.
+
+> [!NOTE]
+> The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012.
+
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure the refresh interval for Server Manager*
+- GP name: *ServerManagerAutoRefreshRate*
+- GP path: *System\Server Manager*
+- GP ADMX file name: *ServerManager.admx*
+
+
+
+
+
+
+**ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2.
+
+- If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server.
+
+- If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server.
+
+If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not display Initial Configuration Tasks window automatically at logon*
+- GP name: *DoNotLaunchInitialConfigurationTasks*
+- GP path: *System\Server Manager*
+- GP ADMX file name: *ServerManager.admx*
+
+
+
+
+
+
+**ADMX_ServerManager/DoNotLaunchServerManager**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows you to turn off the automatic display of the Manage Your Server page.
+
+- If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server.
+
+- If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server.
+
+However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not display Manage Your Server page at logon*
+- GP name: *DoNotLaunchServerManager*
+- GP path: *System\Server Manager*
+- GP ADMX file name: *ServerManager.admx*
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md
index c537254102..0cb2e868e9 100644
--- a/windows/client-management/mdm/policy-csp-admx-servicing.md
+++ b/windows/client-management/mdm/policy-csp-admx-servicing.md
@@ -13,8 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_Servicing
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
@@ -36,28 +35,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -74,21 +79,16 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.
+This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.
-If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon.
+If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the "Alternate source file path" text box. Multiple locations can be specified when each path is separated by a semicolon.
The network location can be either a folder, or a WIM file. If it is a WIM file, the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the WIM file. For example “wim:\\server\share\install.wim:3”.
If you disable or do not configure this policy setting, or if the required files cannot be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -101,8 +101,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md
index 6f35209bce..692583b4eb 100644
--- a/windows/client-management/mdm/policy-csp-admx-settingsync.md
+++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_SettingSync
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -60,28 +64,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -98,7 +108,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings.
+Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings.
If you enable this policy setting, the "AppSync" group will not be synced.
@@ -107,12 +117,7 @@ Use the option "Allow users to turn app syncing on" so that syncing it turned of
If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -131,28 +136,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -169,7 +180,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings.
+Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings.
If you enable this policy setting, the "app settings" group will not be synced.
@@ -178,12 +189,7 @@ Use the option "Allow users to turn app settings syncing on" so that syncing it
If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -202,28 +208,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -240,7 +252,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings.
+Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings.
If you enable this policy setting, the "passwords" group will not be synced.
@@ -249,12 +261,7 @@ Use the option "Allow users to turn passwords syncing on" so that syncing it tur
If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -273,28 +280,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -311,7 +324,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings.
+Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings.
If you enable this policy setting, the "desktop personalization" group will not be synced.
@@ -320,12 +333,7 @@ Use the option "Allow users to turn desktop personalization syncing on" so that
If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -344,28 +352,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -382,7 +396,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings.
+Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings.
If you enable this policy setting, the "personalize" group will not be synced.
@@ -391,12 +405,7 @@ Use the option "Allow users to turn personalize syncing on" so that syncing it t
If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -415,28 +424,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -453,7 +468,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.
+Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.
If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.
@@ -462,12 +477,7 @@ Use the option "Allow users to turn syncing on" so that syncing it turned off by
If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -486,28 +496,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -524,7 +540,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings.
+Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings.
If you enable this policy setting, the "Start layout" group will not be synced.
@@ -533,12 +549,7 @@ Use the option "Allow users to turn start syncing on" so that syncing is turned
If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -557,28 +568,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -595,19 +612,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings.
+Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings.
If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection.
If you do not set or disable this setting, syncing on metered connections is configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -626,28 +638,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -664,7 +682,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings.
+Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings.
If you enable this policy setting, the "Other Windows settings" group will not be synced.
@@ -673,12 +691,7 @@ Use the option "Allow users to turn other Windows settings syncing on" so that s
If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -691,7 +704,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
index cc867fb098..19a24d2480 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_SharedFolders
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -38,28 +42,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -76,7 +86,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).
+This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).
If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS .
@@ -86,12 +96,7 @@ If you disable this policy setting, users cannot publish DFS roots in AD DS and
> The default is to allow shared folders to be published when this setting is not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -111,28 +116,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -149,7 +160,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS).
+This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS).
If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS.
@@ -159,12 +170,7 @@ If you disable this policy setting, users cannot publish shared folders in AD DS
> The default is to allow shared folders to be published when this setting is not configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -177,8 +183,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md
index b7e9e8ddaa..27536d9679 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharing.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharing.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Sharing
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -35,28 +39,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -73,19 +83,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.
+This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.
If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders.
If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in the computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -98,7 +103,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
index 7d8f85894f..1214046238 100644
--- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
+++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
@@ -7,29 +7,34 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 09/21/2020
+ms.date: 09/18/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_ShellCommandPromptRegEditTools
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_ShellCommandPromptRegEditTools policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -83,62 +94,67 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.
+This policy setting prevents users from running the interactive command prompt, Cmd.exe.
+
+This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.
-If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
-
-If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally.
+- If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. .
+- If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally.
+
> [!NOTE]
> Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.
+
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP Friendly name: *Prevent access to the command prompt*
-- GP name: *DisableCMD*
+- GP name: *DisallowApps*
- GP path: *System*
-- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
+- GP ADMX file name: *ShellCommandPromptRegEditTools.admx*
+
**ADMX_ShellCommandPromptRegEditTools/DisableRegedit**
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -155,62 +171,62 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Disables the Windows registry editor Regedit.exe.
+This policy setting disables the Windows registry editor Regedit.exe.
-If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.
+- If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.
-If you disable this policy setting or do not configure it, users can run Regedit.exe normally.
+- If you disable this policy setting or do not configure it, users can run Regedit.exe normally.
To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP Friendly name: *Prevent access to registry editing tools*
- GP name: *DisableRegedit*
-- GP path: *System*
-- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
+- GP path: *System\Server Manager*
+- GP ADMX file name: *ShellCommandPromptRegEditTools.admx*
-
-**ADMX_ShellCommandPromptRegEditTools/DisallowApps**
+**ADMX_ShellCommandPromptRegEditTools/DisableCMD**
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -227,32 +243,27 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows from running the programs you specify in this policy setting.
+This policy setting limits the Windows programs that users have permission to run on the computer.
-If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications.
+- If you enable this policy setting, users can only run programs that you add to the list of allowed applications.
-If you disable this policy setting or do not configure it, users can run any programs.
+- If you disable this policy setting or do not configure it, users can run all applications. This policy setting only prevents users from running programs that are started by the File Explorer process.
-This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
+It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
-> [!NOTE]
-> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
-> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe).
+Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
+
+To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP Friendly name: *Don't run specified Windows applications*
-- GP name: *DisallowApps*
+- GP Friendly name: *Run only specified Windows applications*
+- GP name: *DisableCMD*
- GP path: *System*
-- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
+- GP ADMX file name: *ShellCommandPromptRegEditTools.admx*
@@ -264,28 +275,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -302,39 +319,31 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Limits the Windows programs that users have permission to run on the computer.
+This policy setting prevents Windows from running the programs you specify in this policy setting.
-If you enable this policy setting, users can only run programs that you add to the list of allowed applications.
+- If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications.
-If you disable this policy setting or do not configure it, users can run all applications.
+- If you disable this policy setting or do not configure it, users can run any programs.
-This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
+This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
+
+Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
+
+To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
-> [!NOTE]
-> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
-> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP Friendly name: *Run only specified Windows applications*
+- GP Friendly name: *Don't run specified Windows applications*
- GP name: *RestrictApps*
- GP path: *System*
-- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
+- GP ADMX file name: *ShellCommandPromptRegEditTools.admx*
-
-
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-skydrive.md b/windows/client-management/mdm/policy-csp-admx-skydrive.md
deleted file mode 100644
index 72c1b9ab34..0000000000
--- a/windows/client-management/mdm/policy-csp-admx-skydrive.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Policy CSP - ADMX_SkyDrive
-description: Policy CSP - ADMX_SkyDrive
-ms.author: dansimp
-ms.localizationpriority: medium
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 12/08/2020
-ms.reviewer:
-manager: dansimp
----
-
-# Policy CSP - ADMX_SkyDrive
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
-
-
-
-## ADMX_SkyDrive policies
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. Enable this setting to prevent the OneDrive sync client (OneDrive.exe) from generating network traffic (checking for updates, etc.) until the user signs in to OneDrive or starts syncing files to the local computer.
-
-If you enable this setting, users must sign in to the OneDrive sync client on the local computer, or select to sync OneDrive or SharePoint files on the computer, for the sync client to start automatically.
-
-If this setting is not enabled, the OneDrive sync client will start automatically when users sign in to Windows.
-
-If you enable or disable this setting, do not return the setting to Not Configured. Doing so will not change the configuration and the last configured setting will remain in effect.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Prevent OneDrive from generating network traffic until the user signs in to OneDrive*
-- GP name: *PreventNetworkTrafficPreUserSignIn*
-- GP path: *Windows Components\OneDrive*
-- GP ADMX file name: *SkyDrive.admx*
-
-
-
-
-
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
-
-
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index 3b4ac39e4f..e2c62d296b 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Smartcard
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -81,28 +85,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -119,7 +129,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.
+This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.
In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
@@ -132,12 +142,7 @@ If you enable this policy setting, certificates with the following attributes ca
If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -156,28 +161,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -194,7 +205,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).
+This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).
In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature.
@@ -203,12 +214,7 @@ If you enable this policy setting, the integrated unblock feature will be availa
If you disable or do not configure this policy setting then the integrated unblock feature will not be available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -227,28 +233,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -265,19 +277,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.
+This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.
If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen.
If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -296,28 +303,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -334,7 +347,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.
+This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.
Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine.
@@ -343,12 +356,7 @@ If you enable this policy setting certificates will be listed on the logon scree
If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -367,28 +375,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -405,19 +419,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.
+This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.
If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card.
If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -436,28 +445,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -474,15 +489,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff.
+This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -501,28 +511,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -539,7 +555,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.
+This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.
If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card.
@@ -549,12 +565,7 @@ If you enable or do not configure this policy setting then root certificate prop
If you disable this policy setting then root certificates will not be propagated from the smart card.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -573,28 +584,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -611,7 +628,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents plaintext PINs from being returned by Credential Manager.
+This policy setting prevents plaintext PINs from being returned by Credential Manager.
If you enable this policy setting, Credential Manager does not return a plaintext PIN.
@@ -621,12 +638,7 @@ If you disable or do not configure this policy setting, plaintext PINs can be re
> Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -645,28 +657,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -683,7 +701,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain.
+This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain.
If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain.
@@ -693,12 +711,7 @@ If you disable or do not configure this policy setting, ECC certificates on a sm
> This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.
> If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -717,28 +730,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -755,7 +774,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure if all your valid logon certificates are displayed.
+This policy setting lets you configure if all your valid logon certificates are displayed.
During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).
@@ -769,12 +788,7 @@ If you enable or do not configure this policy setting, filtering will take place
If you disable this policy setting, no filtering will take place.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -793,28 +807,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -831,7 +851,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the reading of all certificates from the smart card for logon.
+This policy setting allows you to manage the reading of all certificates from the smart card for logon.
During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior.
@@ -840,12 +860,7 @@ If you enable this setting, then Windows will attempt to read all certificates f
If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -864,28 +879,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -902,7 +923,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the displayed message when a smart card is blocked.
+This policy setting allows you to manage the displayed message when a smart card is blocked.
If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked.
@@ -912,12 +933,7 @@ If you enable this policy setting, the specified message will be displayed to th
If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -936,28 +952,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -974,7 +996,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon.
+This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon.
By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization.
@@ -983,12 +1005,7 @@ If you enable this policy setting or do not configure this setting, then the sub
If you disable, the subject name will be displayed as it appears in the certificate.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1007,28 +1024,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1045,7 +1068,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether Smart Card Plug and Play is enabled.
+This policy setting allows you to control whether Smart Card Plug and Play is enabled.
If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.
@@ -1055,12 +1078,7 @@ If you disable this policy setting, Smart Card Plug and Play will be disabled an
> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1079,28 +1097,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1117,7 +1141,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed.
+This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed.
If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed.
@@ -1127,12 +1151,7 @@ If you disable this policy setting, a confirmation message will not be displayed
> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1151,28 +1170,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1189,19 +1214,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user.
+This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user.
If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed.
If you disable or do not configure this policy setting, an optional field that allows users to enter their user name or user name and domain will not be displayed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1214,8 +1234,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md
index 62a6c6c8e5..137707b5b7 100644
--- a/windows/client-management/mdm/policy-csp-admx-snmp.md
+++ b/windows/client-management/mdm/policy-csp-admx-snmp.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_Snmp
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,28 +46,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -80,7 +90,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.
+This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.
SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events.
@@ -99,12 +109,7 @@ Best practice: For security purposes, it is recommended to restrict the HKLM\SOF
Also, see the other two SNMP settings: "Specify permitted managers" and "Specify trap configuration".
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -123,28 +128,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -161,7 +172,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.
+This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.
Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events.
@@ -179,12 +190,7 @@ Best practice: For security purposes, it is recommended to restrict the HKLM\SOF
Also, see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name".
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -203,28 +209,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -241,7 +253,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent.
+This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent.
Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events.
@@ -257,12 +269,7 @@ If you disable or do not configure this policy setting, the SNMP service takes t
Also, see the other two SNMP settings: "Specify permitted managers" and "Specify Community Name".
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -275,8 +282,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md
new file mode 100644
index 0000000000..8e63a59f12
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md
@@ -0,0 +1,181 @@
+---
+title: Policy CSP - ADMX_SoundRec
+description: Policy CSP - ADMX_SoundRec
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_SoundRec
+
+
+
+
+## ADMX_SoundRec policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.
+
+If you enable this policy setting, Sound Recorder will not run.
+
+If you disable or do not configure this policy setting, Sound Recorder can be run.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow Sound Recorder to run*
+- GP name: *Soundrec_DiableApplication_TitleText_1*
+- GP path: *Windows Components\Sound Recorder*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+
+**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.
+
+If you enable this policy setting, Sound Recorder will not run.
+
+If you disable or do not configure this policy setting, Sound Recorder can be run.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow Sound Recorder to run*
+- GP name: *Soundrec_DiableApplication_TitleText_2*
+- GP path: *Windows Components\Sound Recorder*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md
new file mode 100644
index 0000000000..ade211ea40
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md
@@ -0,0 +1,180 @@
+---
+title: Policy CSP - ADMX_srmfci
+description: Policy CSP - ADMX_srmfci
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/18/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_srmfci
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_srmfci policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable access-denied assistance on client for all file types*
+- GP name: *EnableShellAccessCheck*
+- GP path: *System\Access-Denied Assistance*
+- GP ADMX file name: *srmfci.admx*
+
+
+
+
+
+
+**ADMX_srmfci/AccessDeniedConfiguration**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access.
+
+If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied.
+
+If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration.
+
+If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Customize message for Access Denied errors*
+- GP name: *AccessDeniedConfiguration*
+- GP path: *System\Access-Denied Assistance*
+- GP ADMX file name: *srmfci.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md
index e108cbcee6..3fbbcf654d 100644
--- a/windows/client-management/mdm/policy-csp-admx-startmenu.md
+++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_StartMenu
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -234,28 +238,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -272,19 +282,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms.
+If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms.
If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box.
If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -303,28 +308,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -341,7 +352,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Clear history of recently opened documents on exit.
+Clear history of recently opened documents on exit.
If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off.
@@ -359,12 +370,7 @@ This policy setting also does not hide document shortcuts displayed in the Open
This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -383,28 +389,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -421,17 +433,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.
+If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.
If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -450,28 +457,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -488,19 +501,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on.
+If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on.
If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile.
This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -519,28 +527,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -557,19 +571,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows desktop apps to be listed first in the Apps view in Start.
+This policy setting allows desktop apps to be listed first in the Apps view in Start.
If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options.
If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -588,28 +597,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -626,7 +641,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view.
+This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view.
This policy setting is only applied when the Apps view is set as the default view for Start.
@@ -635,12 +650,7 @@ If you enable this policy setting, searching from the Apps view will only search
If you disable or don’t configure this policy setting, the user can configure this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -659,28 +669,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -697,7 +713,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy only applies to the classic version of the start menu and does not affect the new style start menu.
+This policy only applies to the classic version of the start menu and does not affect the new style start menu.
Adds the "Log Off ``" item to the Start menu and prevents users from removing it.
@@ -707,17 +723,13 @@ If you disable this setting or do not configure it, users can use the Display Lo
This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del.
-Note: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff.
+> [!NOTE]
+> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff.
Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -736,28 +748,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -774,7 +792,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to go to the desktop instead of the Start screen when they sign in.
+This policy setting allows users to go to the desktop instead of the Start screen when they sign in.
If you enable this policy setting, users will always go to the desktop when they sign in.
@@ -783,12 +801,7 @@ If you disable this policy setting, users will always go to the Start screen whe
If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -807,28 +820,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -845,7 +864,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Displays Start menu shortcuts to partially installed programs in gray text.
+Displays Start menu shortcuts to partially installed programs in gray text.
This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed.
@@ -857,12 +876,7 @@ If you disable this setting or do not configure it, all Start menu shortcuts app
> Enabling this setting can make the Start menu slow to open.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -881,28 +895,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -919,19 +939,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
+This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen.
If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -950,28 +965,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -988,7 +1009,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Disables personalized menus.
+Disables personalized menus.
Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu.
@@ -1000,12 +1021,7 @@ If you enable this setting, the system does not personalize menus. All menu item
To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1024,28 +1040,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1062,7 +1084,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar, which is used to switch between running applications.
+This setting affects the taskbar, which is used to switch between running applications.
The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized.
@@ -1074,12 +1096,7 @@ If you disable this setting or do not configure it, the user can configure the t
> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1098,28 +1115,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1136,19 +1159,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process.
+This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process.
All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and cannot run simultaneously.
Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1167,28 +1185,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1205,7 +1229,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area, also called the "system tray."
+This setting affects the notification area, also called the "system tray."
The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron."
@@ -1216,12 +1240,7 @@ If you disable this setting, the system notification area will always collapse n
If you do not configure it, the user can choose if they want notifications collapsed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1240,28 +1259,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1278,7 +1303,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Hides pop-up text on the Start menu and in the notification area.
+Hides pop-up text on the Start menu and in the notification area.
When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object.
@@ -1287,12 +1312,7 @@ If you enable this setting, some of this pop-up text is not displayed. The pop-u
If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1311,28 +1331,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1349,19 +1375,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from changing their Start screen layout.
+This policy setting allows you to prevent users from changing their Start screen layout.
If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps.
If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1380,28 +1401,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1418,7 +1445,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
+This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE.
@@ -1428,12 +1455,7 @@ If you disable or do not configure this policy setting, the Power button and the
> Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1452,28 +1474,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1490,19 +1518,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes items in the All Users profile from the Programs menu on the Start menu.
+Removes items in the All Users profile from the Programs menu on the Start menu.
By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu.
To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1521,28 +1544,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1559,7 +1588,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from adding the Favorites menu to the Start menu or classic Start menu.
+Prevents users from adding the Favorites menu to the Start menu or classic Start menu.
If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box.
@@ -1573,12 +1602,7 @@ If you disable or do not configure this setting, the Display Favorite item is av
> This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1597,28 +1621,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1635,11 +1665,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. Note that this does not remove the search box from the new style Start menu.
+This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. Note that this does not remove the search box from the new style Start menu.
If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F.
-Note: Enabling this policy setting also prevents the user from using the F3 key.
+> [!NOTE]
+> Enabling this policy setting also prevents the user from using the F3 key.
In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder.
@@ -1648,12 +1679,7 @@ This policy setting affects the specified user interface elements only. It does
If you disable or do not configure this policy setting, the Search link is available from the Start menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1672,28 +1698,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1710,17 +1742,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the Games folder.
+If you enable this policy the start menu will not show a link to the Games folder.
If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1739,28 +1766,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1777,7 +1810,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Help command from the Start menu.
+This policy setting allows you to remove the Help command from the Start menu.
If you enable this policy setting, the Help command is removed from the Start menu.
@@ -1786,12 +1819,7 @@ If you disable or do not configure this policy setting, the Help command is avai
This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1810,28 +1838,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1848,23 +1882,18 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off user tracking.
+This policy setting allows you to turn off user tracking.
If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu.
If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu.
-Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus".
+Also, see these related policy settings: "Remove frequent programs list from the Start Menu" and "Turn off personalized menus".
This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1883,28 +1912,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1922,7 +1957,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
+If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.
@@ -1933,12 +1968,7 @@ Selecting "Remove and disable setting" will remove the all apps list from Start
If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1957,28 +1987,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1995,7 +2031,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Network Connections from the Start Menu.
+This policy setting allows you to remove Network Connections from the Start Menu.
If you enable this policy setting, users are prevented from running Network Connections.
@@ -2008,12 +2044,7 @@ If you disable or do not configure this policy setting, Network Connections is a
Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2032,28 +2063,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2070,19 +2107,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu.
+If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu.
In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog.
If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2101,28 +2133,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2139,7 +2177,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu.
+Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu.
The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents.
@@ -2157,12 +2195,7 @@ If the setting is not configured, users can turn the Recent Items menu on and of
This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2181,28 +2214,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2219,7 +2258,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.
+This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.
If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found.
@@ -2231,12 +2270,7 @@ If you disable or do not configure this policy setting, by default, when the sys
Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2255,28 +2289,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2293,7 +2333,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from using NTFS tracking features to resolve a shortcut.
+This policy setting prevents the system from using NTFS tracking features to resolve a shortcut.
If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path.
@@ -2304,12 +2344,7 @@ If you disable or do not configure this policy setting, by default, when the sys
Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2328,28 +2363,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2366,7 +2407,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.
+Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.
If you enable this setting, the following changes occur:
@@ -2392,12 +2433,7 @@ If you disable or do not configure this setting, users will be able to access th
> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2416,28 +2452,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2454,7 +2496,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Default Programs link from the Start menu.
+This policy setting allows you to remove the Default Programs link from the Start menu.
If you enable this policy setting, the Default Programs link is removed from the Start menu.
@@ -2466,12 +2508,7 @@ If you disable or do not configure this policy setting, the Default Programs lin
> This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2490,28 +2527,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2528,7 +2571,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Documents icon from the Start menu and its submenus.
+This policy setting allows you to remove the Documents icon from the Start menu and its submenus.
If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder.
@@ -2540,12 +2583,7 @@ If you disable or do not configure this policy setting, he Documents icon is ava
Also, see the "Remove Documents icon on the desktop" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2564,28 +2602,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2602,19 +2646,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Music icon from Start Menu.
+This policy setting allows you to remove the Music icon from Start Menu.
If you enable this policy setting, the Music icon is no longer available from Start Menu.
If you disable or do not configure this policy setting, the Music icon is available from Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2633,28 +2672,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2671,19 +2716,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build.This policy setting allows you to remove the Network icon from Start Menu.
+This policy setting allows you to remove the Network icon from Start Menu.
If you enable this policy setting, the Network icon is no longer available from Start Menu.
If you disable or do not configure this policy setting, the Network icon is available from Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2702,28 +2742,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2740,19 +2786,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Pictures icon from Start Menu.
+This policy setting allows you to remove the Pictures icon from Start Menu.
If you enable this policy setting, the Pictures icon is no longer available from Start Menu.
If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2771,28 +2812,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2809,17 +2856,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for communications.
+If you enable this policy the start menu search box will not search for communications.
If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2838,28 +2880,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2876,17 +2924,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box.
+If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box.
If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2905,28 +2948,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2943,17 +2992,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
+If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2972,28 +3016,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3010,17 +3060,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for files.
+If you enable this policy setting the Start menu search box will not search for files.
If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3039,28 +3084,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3077,17 +3128,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for internet history or favorites.
+If you enable this policy the start menu search box will not search for internet history or favorites.
If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3106,28 +3152,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3144,17 +3196,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.
+If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.
If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3173,28 +3220,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3211,7 +3264,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove programs on Settings menu.
+This policy setting allows you to remove programs on Settings menu.
If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running.
@@ -3222,12 +3275,7 @@ If you disable or do not configure this policy setting, the Control Panel, Print
Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3246,28 +3294,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3284,7 +3338,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent changes to Taskbar and Start Menu Settings.
+This policy setting allows you to prevent changes to Taskbar and Start Menu Settings.
If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box.
@@ -3293,12 +3347,7 @@ If the user right-clicks the taskbar and then clicks Properties, a message appea
If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3317,28 +3366,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3355,19 +3410,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Downloads link from the Start Menu.
+This policy setting allows you to remove the Downloads link from the Start Menu.
If you enable this policy setting, the Start Menu does not show a link to the Downloads folder.
If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3386,28 +3436,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3424,17 +3480,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu.
+If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu.
If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3453,28 +3504,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3491,19 +3548,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Recorded TV link from the Start Menu.
+This policy setting allows you to remove the Recorded TV link from the Start Menu.
If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library.
If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3522,28 +3574,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3560,7 +3618,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden.
+Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden.
This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders.
@@ -3571,12 +3629,7 @@ If you enable this setting, no folders appear on the top section of the Start me
If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3595,28 +3648,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3633,19 +3692,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Videos link from the Start Menu.
+This policy setting allows you to remove the Videos link from the Start Menu.
If you enable this policy setting, the Start Menu does not show a link to the Videos library.
If you disable or do not configure this policy setting, the Videos link is available from the Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3664,28 +3718,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3702,23 +3762,18 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting affects the presentation of the Start menu.
+This setting affects the presentation of the Start menu.
-The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly.
+The classic Start menu in Windows allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly.
-If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.
+If you enable this setting, the Start menu displays the classic Start menu and displays the standard desktop icons.
If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page.
If you do not configure this setting, the default is the new style, and the user can change the view.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3737,28 +3792,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3775,19 +3836,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents the clock in the system notification area from being displayed.
+Prevents the clock in the system notification area from being displayed.
If you enable this setting, the clock will not be displayed in the system notification area.
If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3806,28 +3862,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3844,7 +3906,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar buttons used to switch between running programs.
+This setting affects the taskbar buttons used to switch between running programs.
Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full.
@@ -3853,12 +3915,7 @@ If you enable this setting, it prevents the taskbar from grouping items that sha
If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3877,28 +3934,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3915,7 +3978,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar.
+This setting affects the taskbar.
The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application.
@@ -3924,12 +3987,7 @@ If this setting is enabled, the taskbar does not display any custom toolbars, an
If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3948,28 +4006,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3986,7 +4050,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to the context menus for the taskbar.
+This policy setting allows you to remove access to the context menus for the taskbar.
If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons.
@@ -3995,12 +4059,7 @@ If you disable or do not configure this policy setting, the context menus for th
This policy setting does not prevent users from using other methods to issue the commands that appear on these menus.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4019,28 +4078,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4057,7 +4122,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area (previously called the "system tray") on the taskbar.
+This setting affects the notification area (previously called the "system tray") on the taskbar.
The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock.
@@ -4069,12 +4134,7 @@ If this setting is disabled or is not configured, the notification area is shown
> Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4093,28 +4153,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4131,17 +4197,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this setting, users cannot uninstall apps from Start.
+If you enable this setting, users cannot uninstall apps from Start.
If you disable this setting or do not configure it, users can access the uninstall command from Start.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4160,28 +4221,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4198,17 +4265,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the user's storage folder.
+If you enable this policy the start menu will not show a link to the user's storage folder.
If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4227,28 +4289,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4265,21 +4333,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003.
+This policy setting allows you to remove the user name label from the Start Menu.
-If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003.
+If you enable this policy setting, the user name label is removed from the Start Menu.
-To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting.
-
-If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003.
+If you disable or do not configure this policy setting, the user name label appears on the Start Menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4298,28 +4359,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4336,7 +4403,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove links and access to Windows Update.
+This policy setting allows you to remove links and access to Windows Update.
If you enable this policy setting, users are prevented from connecting to the Windows Update Web site.
@@ -4349,12 +4416,7 @@ If you disable or do not configure this policy setting, the Windows Update hyper
Also, see the "Hide the "Add programs from Microsoft" option" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4373,28 +4435,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4411,7 +4479,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Set the default action of the power button on the Start menu.
+Set the default action of the power button on the Start menu.
If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action.
@@ -4420,12 +4488,7 @@ If you set the button to either Sleep or Hibernate, and that state is not suppor
If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4444,28 +4507,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4482,7 +4551,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar.
+This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar.
If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off.
@@ -4491,12 +4560,7 @@ If you disable this policy setting, the QuickLaunch bar will be hidden and canno
If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4515,28 +4579,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4553,17 +4623,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked.
+If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked.
If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4582,28 +4647,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4620,19 +4691,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Apps view to be opened by default when the user goes to Start.
+This policy setting allows the Apps view to be opened by default when the user goes to Start.
If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen.
If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4651,28 +4717,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4689,7 +4761,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting shows or hides the "Run as different user" command on the Start application bar.
+This policy setting shows or hides the "Run as different user" command on the Start application bar.
If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality.
@@ -4699,12 +4771,7 @@ If you disable this setting or do not configure it, users cannot access the "Run
> This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4723,28 +4790,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4761,19 +4834,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Run command is added to the Start menu.
+If you enable this setting, the Run command is added to the Start menu.
If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties.
If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4792,28 +4860,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4830,19 +4904,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays.
-If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key.
-
-If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4861,28 +4926,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4899,7 +4970,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it.
+This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it.
If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu.
@@ -4907,17 +4978,13 @@ If you disable or do not configure this policy setting, users can use the Displa
This policy setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off.
-Tip: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff.
+> [!TIP]
+> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff.
See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4936,28 +5003,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4975,15 +5048,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows pinning apps to Start by default, when they are included by AppID on the list.
+This policy setting allows pinning apps to Start by default, when they are included by AppID on the list.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4996,7 +5064,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
\ No newline at end of file
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
index 00d40074f3..e15430f48b 100644
--- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md
+++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_SystemRestore
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +40,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -74,7 +84,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Allows you to disable System Restore configuration through System Protection.
+Allows you to disable System Restore configuration through System Protection.
This policy setting allows you to turn off System Restore configuration through System Protection.
@@ -87,12 +97,7 @@ If you disable or do not configure this policy setting, users can change the Sys
Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -105,8 +110,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
new file mode 100644
index 0000000000..53648b8f57
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
@@ -0,0 +1,186 @@
+---
+title: Policy CSP - ADMX_TabletShell
+description: Policy CSP - ADMX_TabletShell
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/23/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_TabletShell
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_TabletShell policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Prevents start of InkBall game.
+
+If you enable this policy, the InkBall game will not run.
+
+If you disable this policy, the InkBall game will run. If you do not configure this policy, the InkBall game will run.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow Inkball to run*
+- GP name: *DisableInkball_1*
+- GP path: *Windows Components\Tablet PC\Accessories*
+- GP ADMX file name: *TabletShell.admx*
+
+
+
+
+
+
+
+**ADMX_TabletShell/DisableNoteWriterPrinting_1**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Prevents printing to Journal Note Writer.
+
+If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail.
+
+If you disable this policy, you will be able to use this feature to print to a Journal Note. If you do not configure this policy, users will be able to use this feature to print to a Journal Note.
+
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow printing to Journal Note Writer*
+- GP name: *DisableNoteWriterPrinting_1*
+- GP path: *Windows Components\Tablet PC\Accessories*
+- GP ADMX file name: *TabletShell.admx*
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md
index 77fdd56a9d..ae6556aadf 100644
--- a/windows/client-management/mdm/policy-csp-admx-taskbar.md
+++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md
@@ -13,11 +13,16 @@ manager: dansimp
---
# Policy CSP - ADMX_Taskbar
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
## ADMX_Taskbar policies
@@ -99,28 +104,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -137,7 +148,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting removes Notifications and Action Center from the notification area on the taskbar.
+This policy setting removes Notifications and Action Center from the notification area on the taskbar.
The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock.
@@ -148,12 +159,6 @@ If you disable or do not configure this policy setting, Notification and Securit
A reboot is required for this policy setting to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -172,28 +177,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -210,7 +221,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy disables the functionality that converts balloons to toast notifications.
+This policy disables the functionality that converts balloons to toast notifications.
If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications.
@@ -221,12 +232,6 @@ If you disable or don’t configure this policy setting, all notifications will
A reboot is required for this policy setting to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -245,28 +250,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -283,19 +294,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Security and Maintenance from the system control area.
+This policy setting allows you to remove Security and Maintenance from the system control area.
If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area.
If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -314,28 +319,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -352,19 +363,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the networking icon from the system control area.
+This policy setting allows you to remove the networking icon from the system control area.
If you enable this policy setting, the networking icon is not displayed in the system notification area.
If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -383,28 +388,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -421,19 +432,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the battery meter from the system control area.
+This policy setting allows you to remove the battery meter from the system control area.
If you enable this policy setting, the battery meter is not displayed in the system notification area.
If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -452,28 +457,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -490,19 +501,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the volume control icon from the system control area.
+This policy setting allows you to remove the volume control icon from the system control area.
If you enable this policy setting, the volume control icon is not displayed in the system notification area.
If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -521,28 +526,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -559,19 +570,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off feature advertisement balloon notifications.
+This policy setting allows you to turn off feature advertisement balloon notifications.
If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown.
If you disable do not configure this policy setting, feature advertisement balloons are shown.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -590,28 +595,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -628,19 +639,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning the Store app to the Taskbar.
+This policy setting allows you to control pinning the Store app to the Taskbar.
If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login.
If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -659,28 +664,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -697,19 +708,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning items in Jump Lists.
+This policy setting allows you to control pinning items in Jump Lists.
If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.
If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -728,28 +733,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -766,19 +777,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning programs to the Taskbar.
+This policy setting allows you to control pinning programs to the Taskbar.
If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar.
If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -789,7 +794,6 @@ ADMX Info:
-
@@ -799,28 +803,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -837,7 +847,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations.
+This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations.
The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.
@@ -847,12 +857,6 @@ If you disable or do not configure this policy setting, all files that the user
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -863,7 +867,6 @@ ADMX Info:
-
@@ -873,28 +876,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -911,19 +920,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off automatic promotion of notification icons to the taskbar.
+This policy setting allows you to turn off automatic promotion of notification icons to the taskbar.
If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel.
If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -934,7 +937,6 @@ ADMX Info:
-
@@ -944,28 +946,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -982,7 +990,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to see Windows Store apps on the taskbar.
+This policy setting allows users to see Windows Store apps on the taskbar.
If you enable this policy setting, users will see Windows Store apps on the taskbar.
@@ -991,12 +999,6 @@ If you disable this policy setting, users won’t see Windows Store apps on the
If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1017,28 +1019,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1055,19 +1063,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to lock all taskbar settings.
+This policy setting allows you to lock all taskbar settings.
If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar.
If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1088,28 +1090,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1126,20 +1134,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from adding or removing toolbars.
+This policy setting allows you to prevent users from adding or removing toolbars.
If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either.
If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Prevent users from adding or removing toolbars*
@@ -1149,7 +1150,7 @@ ADMX Info:
-
+>
@@ -1159,28 +1160,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1197,20 +1204,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from rearranging toolbars.
+This policy setting allows you to prevent users from rearranging toolbars.
If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar.
If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Prevent users from rearranging toolbars*
@@ -1220,7 +1220,6 @@ ADMX Info:
-
@@ -1230,28 +1229,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1268,19 +1273,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent taskbars from being displayed on more than one monitor.
+This policy setting allows you to prevent taskbars from being displayed on more than one monitor.
If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog.
If you disable or do not configure this policy setting, users can show taskbars on more than one display.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1301,28 +1300,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1339,19 +1344,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off all notification balloons.
+This policy setting allows you to turn off all notification balloons.
If you enable this policy setting, no notification balloons are shown to the user.
If you disable or do not configure this policy setting, notification balloons are shown to the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1364,36 +1363,40 @@ ADMX Info:
-
-
**ADMX_Taskbar/TaskbarNoPinnedList**
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1410,19 +1413,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove pinned programs from the taskbar.
+This policy setting allows you to remove pinned programs from the taskbar.
If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar.
If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1433,7 +1430,6 @@ ADMX Info:
-
@@ -1443,28 +1439,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1481,19 +1483,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from moving taskbar to another screen dock location.
+This policy setting allows you to prevent users from moving taskbar to another screen dock location.
If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s).
If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1506,7 +1503,6 @@ ADMX Info:
-**ADMX_Taskbar/TaskbarNoResize**
@@ -1514,28 +1510,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1552,19 +1554,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from resizing the taskbar.
+This policy setting allows you to prevent users from resizing the taskbar.
If you enable this policy setting, users are not be able to resize their taskbar.
If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1575,7 +1571,6 @@ ADMX Info:
-
@@ -1585,28 +1580,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1623,19 +1624,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off taskbar thumbnails.
+This policy setting allows you to turn off taskbar thumbnails.
If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips.
If you disable or do not configure this policy setting, the taskbar thumbnails are displayed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1648,7 +1643,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
+p
diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md
index 716a9c9f64..ef4dcccadd 100644
--- a/windows/client-management/mdm/policy-csp-admx-tcpip.md
+++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md
@@ -13,11 +13,16 @@ manager: dansimp
---
# Policy CSP - ADMX_tcpip
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
## ADMX_tcpip policies
@@ -72,28 +77,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -110,19 +121,13 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host.
+This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host.
If you enable this policy setting, you can specify a relay name for a 6to4 host.
If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -141,28 +146,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -179,19 +190,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host.
+This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host.
If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically.
If you disable or do not configure this policy setting, the local host setting is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -210,28 +215,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -248,7 +259,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site.
+This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site.
If you disable or do not configure this policy setting, the local host setting is used.
@@ -261,12 +272,6 @@ Policy Enabled State: If a global IPv4 address is present, the host will have a
Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -285,28 +290,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -323,7 +334,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network.
+This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network.
If you disable or do not configure this policy setting, the local host settings are used.
@@ -336,12 +347,6 @@ Policy Enabled State: The IP-HTTPS interface is always present, even if the host
Policy Disabled State: No IP-HTTPS interfaces are present on the host.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -360,28 +365,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -398,19 +409,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP Stateless Autoconfiguration Limits.
+This policy setting allows you to configure IP Stateless Autoconfiguration Limits.
If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes.
If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -429,28 +434,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -467,19 +478,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router.
+This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router.
If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required.
If you disable or do not configure this policy setting, the local host setting is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -498,28 +503,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -536,7 +547,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet.
+This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet.
If you disable or do not configure this policy setting, the local host setting is used.
@@ -549,12 +560,6 @@ Policy Enabled State: If the ISATAP name is resolved successfully, the host will
Policy Disabled State: No ISATAP interfaces are present on the host.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -573,28 +578,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -611,19 +622,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize.
+This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize.
If you enable this policy setting, you can customize a UDP port for the Teredo client.
If you disable or do not configure this policy setting, the local host setting is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -642,28 +647,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -680,7 +691,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.
+This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.
If you disable or do not configure this policy setting, the local host setting is used.
@@ -689,12 +700,6 @@ This policy setting contains only one state:
Policy Enabled State: If Default Qualified is enabled, Teredo will attempt qualification immediately and remain qualified if the qualification process succeeds.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -713,28 +718,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -751,7 +762,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the Teredo refresh rate.
+This policy setting allows you to configure the Teredo refresh rate.
> [!NOTE]
> On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device.
@@ -761,12 +772,6 @@ If you enable this policy setting, you can specify the refresh rate. If you cho
If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -785,28 +790,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -823,19 +834,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied.
+This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied.
If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client.
If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -854,28 +859,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -892,7 +903,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet.
+This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet.
If you disable or do not configure this policy setting, the local host settings are used.
@@ -907,12 +918,6 @@ Client: The Teredo interface is present only when the host is not on a network t
Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain controller.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -931,28 +936,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -969,7 +980,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly.
+This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly.
If you do not configure this policy setting, the local host settings are used.
@@ -978,12 +989,6 @@ If you enable this policy setting, Window Scaling Heuristics will be enabled and
If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems caused by Firewalls or other middle boxes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -996,8 +1001,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
+>
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
new file mode 100644
index 0000000000..ed42ebde3f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -0,0 +1,192 @@
+---
+title: Policy CSP - ADMX_TerminalServer
+description: Policy CSP - ADMX_TerminalServer
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/23/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_TerminalServer
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_TerminalServer policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session.
+
+If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone).
+
+If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.
+
+Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Allow time zone redirection*
+- GP name: *TS_GATEWAY_POLICY_ENABLE*
+- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection*
+- GP ADMX file name: *TerminalServer.admx*
+
+
+
+
+
+
+
+**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session.
+
+You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection.
+
+If you enable this policy setting, users cannot redirect Clipboard data.
+
+If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
+
+If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
+
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow Clipboard redirection*
+- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD*
+- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection*
+- GP ADMX file name: *TerminalServer.admx*
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
index 8e689c8544..bcfc9c477f 100644
--- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md
+++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
@@ -13,11 +13,16 @@ manager: dansimp
---
# Policy CSP - ADMX_Thumbnails
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
## ADMX_Thumbnails policies
@@ -41,28 +46,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -79,7 +90,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.
+This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.
File Explorer displays thumbnail images by default.
@@ -88,12 +99,6 @@ If you enable this policy setting, File Explorer displays only icons and never d
If you disable or do not configure this policy setting, File Explorer displays only thumbnail images.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -112,28 +117,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -150,7 +161,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
+This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
File Explorer displays thumbnail images on network folders by default.
@@ -159,12 +170,6 @@ If you enable this policy setting, File Explorer displays only icons and never d
If you disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folders.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -183,28 +188,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -221,7 +232,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Turns off the caching of thumbnails in hidden thumbs.db files.
+Turns off the caching of thumbnails in hidden thumbs.db files.
This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files.
@@ -230,13 +241,7 @@ If you enable this policy setting, File Explorer does not create, read from, or
If you disable or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Turn off the caching of thumbnails in hidden thumbs.db files*
@@ -248,8 +253,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md
new file mode 100644
index 0000000000..e5ddae159b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md
@@ -0,0 +1,331 @@
+---
+title: Policy CSP - ADMX_TouchInput
+description: Policy CSP - ADMX_TouchInput
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/23/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_TouchInput
+
+
+
+
+## ADMX_TouchInput policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger.
+
+- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features.
+- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features.
+
+If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Tablet PC touch input*
+- GP name: *TouchInputOff_1*
+- GP path: *Windows Components\Tablet PC\Touch Input*
+- GP ADMX file name: *TouchInput.admx*
+
+
+
+
+**ADMX_TouchInput/TouchInputOff_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger.
+
+- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features.
+- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features.
+
+If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Tablet PC touch input*
+- GP name: *TouchInputOff_2*
+- GP path: *Windows Components\Tablet PC\Touch Input*
+- GP ADMX file name: *TouchInput.admx*
+
+
+
+
+
+
+
+**ADMX_TouchInput/PanningEverywhereOff_1**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content.
+
+- If you enable this setting, the user will not be able to pan windows by touch.
+
+- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Touch Panning*
+- GP name: *PanningEverywhereOff_1*
+- GP path: *Windows Components\Tablet PC\Touch Input*
+- GP ADMX file name: *TouchInput.admx*
+
+
+
+
+
+**ADMX_TouchInput/PanningEverywhereOff_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content.
+
+- If you enable this setting, the user will not be able to pan windows by touch.
+
+- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off Touch Panning*
+- GP name: *PanningEverywhereOff_2*
+- GP path: *Windows Components\Tablet PC\Touch Input*
+- GP ADMX file name: *TouchInput.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md
index 7935207b97..f6a3adddd5 100644
--- a/windows/client-management/mdm/policy-csp-admx-tpm.md
+++ b/windows/client-management/mdm/policy-csp-admx-tpm.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_TPM
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -63,28 +67,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -101,19 +111,13 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows.
+This policy setting allows you to manage the Policy list of Trusted Platform Module (TPM) commands blocked by Windows.
If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section.
-If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands.
+If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -132,28 +136,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -170,15 +180,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
+This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -197,28 +201,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -235,21 +245,15 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
+This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
-If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list.
+If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Policy or the local list.
-The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM commands.
+The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Policy list of blocked TPM commands.
-If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM commands.
+If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Policy and local lists of blocked TPM commands.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -268,28 +272,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -306,21 +316,15 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
+This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
-If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list.
+If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Policy or the default list.
-The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands.
+The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Policy list of blocked TPM commands.
-If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands.
+If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Policy and default lists of blocked TPM commands.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -339,28 +343,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -377,7 +387,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password.
+This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password.
You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none.
@@ -393,12 +403,6 @@ Choose the operating system managed TPM authentication setting of "None" for com
> If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -417,28 +421,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -455,15 +465,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows.
+This Policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -482,28 +486,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -520,7 +530,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM.
+This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM.
This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
@@ -539,13 +549,7 @@ An administrator with the TPM owner password may fully reset the TPM's hardware
If this value is not configured, a default value of 480 minutes (8 hours) is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+>
ADMX Info:
- GP Friendly name: *Standard User Lockout Duration*
@@ -563,28 +567,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -601,7 +611,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.
+This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.
This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
@@ -622,12 +632,6 @@ If this value is not configured, a default value of 4 is used.
A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -646,28 +650,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -684,7 +694,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.
+This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.
This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
@@ -705,12 +715,6 @@ If this value is not configured, a default value of 9 is used.
A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -729,28 +733,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -767,15 +777,9 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system.
+This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this Policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from Policy and b)clear the TPM on the system.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -788,8 +792,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
index d068903115..0d0a46df31 100644
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_UserExperienceVirtualization
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -411,28 +415,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -450,7 +460,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Calculator.
+This policy setting configures the synchronization of user settings of Calculator.
By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers.
@@ -461,12 +471,6 @@ If you disable this policy setting, Calculator user settings are excluded from t
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -485,28 +489,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -524,7 +534,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers.
+This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers.
With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location.
@@ -540,12 +550,6 @@ If you disable this policy setting, the sync provider is used to synchronize set
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -564,28 +568,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -603,7 +613,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment.
+This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment.
UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session.
@@ -615,12 +625,6 @@ If you disable this policy setting, no UE-V rollback state is copied to the sett
If you do not configure this policy, no UE-V rollback state is copied to the settings storage location.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -639,28 +643,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -677,7 +687,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center.
+This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center.
If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL.
@@ -686,12 +696,6 @@ If you disable this policy setting, the Company Settings Center does not display
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -710,28 +714,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -748,7 +758,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the URL for the Contact IT link in the Company Settings Center.
+This policy setting specifies the URL for the Contact IT link in the Company Settings Center.
If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto.
@@ -756,12 +766,6 @@ If you disable this policy setting, the Company Settings Center does not display
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -780,28 +784,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -819,7 +829,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.
+This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.
By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location.
@@ -833,12 +843,6 @@ If you do not configure this policy setting, any defined values are deleted.
> If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -857,28 +861,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -896,7 +906,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates.
+This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates.
If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization.
@@ -905,12 +915,6 @@ If you disable this policy setting, all Windows Settings are excluded from the s
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -929,28 +933,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -967,17 +977,11 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature.
+This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature.
Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -996,28 +1000,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1035,7 +1045,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers.
If you enable this policy setting, Finance user settings continue to sync.
@@ -1044,12 +1054,6 @@ If you disable this policy setting, Finance user settings are excluded from sync
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1068,28 +1072,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1106,7 +1116,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers.
+This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers.
With this setting enabled, the notification appears the first time that the UE-V Agent runs.
@@ -1115,12 +1125,6 @@ With this setting disabled, no notification appears.
If you do not configure this policy setting, any defined values are deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1139,28 +1143,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1178,7 +1188,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers.
If you enable this policy setting, Games user settings continue to sync.
@@ -1187,12 +1197,6 @@ If you disable this policy setting, Games user settings are excluded from synchr
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1211,28 +1215,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1250,7 +1260,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 8.
+This policy setting configures the synchronization of user settings for Internet Explorer 8.
By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers.
@@ -1261,12 +1271,6 @@ If you disable this policy setting, Internet Explorer 8 user settings are exclud
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1285,28 +1289,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1324,7 +1334,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers.
If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize.
@@ -1333,12 +1343,7 @@ If you disable this policy setting, Internet Explorer 9 user settings are exclud
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1357,28 +1362,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1396,7 +1407,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers.
+This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers.
If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize.
@@ -1405,12 +1416,6 @@ If you disable this policy setting, Internet Explorer 10 user settings are exclu
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1429,28 +1434,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1468,7 +1479,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers.
+This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers.
If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize.
@@ -1477,12 +1488,6 @@ If you disable this policy setting, Internet Explorer 11 user settings are exclu
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1501,28 +1506,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1540,7 +1551,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer.
+This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer.
By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers.
If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize.
@@ -1550,12 +1561,6 @@ If you disable this policy setting, the user settings which are common between t
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1573,28 +1578,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1612,7 +1623,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers.
If you enable this policy setting, Maps user settings continue to sync.
@@ -1621,12 +1632,6 @@ If you disable this policy setting, Maps user settings are excluded from synchro
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1645,28 +1650,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1684,19 +1695,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size.
+This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size.
If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log.
If you disable or do not configure this policy setting, no event is written to the event log to report settings package size.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1715,28 +1720,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1754,7 +1765,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize.
@@ -1763,12 +1774,6 @@ If you disable this policy setting, Microsoft Access 2010 user settings are excl
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1787,28 +1792,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1826,7 +1837,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers.
+This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers.
If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize.
@@ -1835,12 +1846,6 @@ If you disable this policy setting, the user settings which are common between t
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1859,28 +1864,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1898,7 +1909,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize.
@@ -1906,12 +1917,7 @@ If you disable this policy setting, Microsoft Excel 2010 user settings are exclu
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1930,28 +1936,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1969,7 +1981,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers.
If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize.
@@ -1978,12 +1990,7 @@ If you disable this policy setting, Microsoft InfoPath 2010 user settings are ex
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2002,28 +2009,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2041,7 +2054,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize.
@@ -2050,12 +2063,6 @@ If you disable this policy setting, Microsoft Lync 2010 user settings are exclud
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2074,28 +2081,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2113,7 +2126,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers.
If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize.
@@ -2121,12 +2134,6 @@ If you disable this policy setting, Microsoft OneNote 2010 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2145,28 +2152,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2184,7 +2197,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize.
@@ -2193,12 +2206,6 @@ If you disable this policy setting, Microsoft Outlook 2010 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2217,28 +2224,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2256,7 +2269,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers.
If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize.
@@ -2265,12 +2278,7 @@ If you disable this policy setting, Microsoft PowerPoint 2010 user settings are
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2289,28 +2297,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2328,7 +2342,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize.
@@ -2336,12 +2350,7 @@ If you disable this policy setting, Microsoft Project 2010 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2360,28 +2369,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2399,7 +2414,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize.
@@ -2408,12 +2423,7 @@ If you disable this policy setting, Microsoft Publisher 2010 user settings are e
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2432,28 +2442,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2471,7 +2487,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers.
If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize.
@@ -2480,12 +2496,6 @@ If you disable this policy setting, Microsoft SharePoint Designer 2010 user sett
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2502,30 +2512,36 @@ ADMX Info:
**ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace**
-
+2
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2543,7 +2559,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers.
If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize.
@@ -2552,12 +2568,7 @@ If you disable this policy setting, Microsoft SharePoint Workspace 2010 user set
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2576,28 +2587,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2615,7 +2632,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize.
@@ -2624,12 +2641,6 @@ If you disable this policy setting, Microsoft Visio 2010 user settings are exclu
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2648,28 +2659,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2687,7 +2704,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize.
@@ -2696,12 +2713,6 @@ If you disable this policy setting, Microsoft Word 2010 user settings are exclud
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2720,28 +2731,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2759,7 +2776,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize.
@@ -2767,12 +2784,6 @@ If you disable this policy setting, Microsoft Access 2013 user settings are excl
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2791,28 +2802,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2830,7 +2847,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up.
@@ -2839,12 +2856,6 @@ If you disable this policy setting, certain user settings of Microsoft Access 20
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2863,28 +2874,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2902,7 +2919,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.
+This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.
If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize.
@@ -2911,12 +2928,6 @@ If you disable this policy setting, the user settings which are common between t
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2935,28 +2946,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2974,7 +2991,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications.
+This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications.
Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications.
If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up.
@@ -2984,12 +3001,6 @@ If you disable this policy setting, certain user settings which are common betwe
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3008,28 +3019,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3047,7 +3064,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2013.
+This policy setting configures the synchronization of user settings for Microsoft Excel 2013.
By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers.
@@ -3057,12 +3074,6 @@ If you disable this policy setting, Microsoft Excel 2013 user settings are exclu
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3081,28 +3092,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3120,7 +3137,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up.
@@ -3128,12 +3145,7 @@ If you disable this policy setting, certain user settings of Microsoft Excel 201
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3152,28 +3164,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3191,7 +3209,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers.
If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize.
@@ -3200,12 +3218,6 @@ If you disable this policy setting, Microsoft InfoPath 2013 user settings are ex
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3224,28 +3236,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3263,7 +3281,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings.
If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up.
@@ -3272,12 +3290,7 @@ If you disable this policy setting, certain user settings of Microsoft InfoPath
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3296,28 +3309,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3335,7 +3354,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize.
@@ -3343,12 +3362,7 @@ If you disable this policy setting, Microsoft Lync 2013 user settings are exclud
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3367,28 +3381,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3406,7 +3426,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up.
@@ -3415,12 +3435,7 @@ If you disable this policy setting, certain user settings of Microsoft Lync 2013
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3439,28 +3454,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3478,7 +3499,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers.
If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize.
@@ -3487,12 +3508,7 @@ If you disable this policy setting, OneDrive for Business 2013 user settings are
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3511,28 +3527,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3550,7 +3572,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers.
If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize.
@@ -3559,12 +3581,7 @@ If you disable this policy setting, Microsoft OneNote 2013 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3583,28 +3600,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3622,7 +3645,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings.
If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up.
@@ -3631,12 +3654,7 @@ If you disable this policy setting, certain user settings of Microsoft OneNote 2
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3655,28 +3673,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3694,7 +3718,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize.
@@ -3702,12 +3726,7 @@ If you disable this policy setting, Microsoft Outlook 2013 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3726,28 +3745,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3765,7 +3790,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up.
@@ -3774,12 +3799,7 @@ If you disable this policy setting, certain user settings of Microsoft Outlook 2
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3798,28 +3818,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3837,7 +3863,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers.
If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize.
@@ -3846,12 +3872,7 @@ If you disable this policy setting, Microsoft PowerPoint 2013 user settings are
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3870,28 +3891,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3909,7 +3936,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings.
If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up.
@@ -3918,12 +3945,7 @@ If you disable this policy setting, certain user settings of Microsoft PowerPoin
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3942,28 +3964,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3981,7 +4009,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize.
@@ -3989,12 +4017,7 @@ If you disable this policy setting, Microsoft Project 2013 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4013,28 +4036,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4052,7 +4081,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up.
@@ -4061,12 +4090,6 @@ If you disable this policy setting, certain user settings of Microsoft Project 2
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4085,28 +4108,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4124,7 +4153,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize.
@@ -4133,12 +4162,7 @@ If you disable this policy setting, Microsoft Publisher 2013 user settings are e
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4157,28 +4181,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4196,7 +4226,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up.
@@ -4205,12 +4235,7 @@ If you disable this policy setting, certain user settings of Microsoft Publisher
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4229,28 +4254,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4268,7 +4299,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers.
If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize.
@@ -4277,12 +4308,7 @@ If you disable this policy setting, Microsoft SharePoint Designer 2013 user sett
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4300,28 +4326,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4339,7 +4371,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings.
If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up.
@@ -4348,12 +4380,7 @@ If you disable this policy setting, certain user settings of Microsoft SharePoin
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4371,28 +4398,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4410,7 +4443,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers.
If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize.
@@ -4419,12 +4452,6 @@ If you disable this policy setting, Microsoft Office 2013 Upload Center user set
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4443,28 +4470,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4482,7 +4515,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize.
@@ -4491,12 +4524,7 @@ If you disable this policy setting, Microsoft Visio 2013 user settings are exclu
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4515,28 +4543,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4554,7 +4588,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up.
@@ -4563,12 +4597,7 @@ If you disable this policy setting, certain user settings of Microsoft Visio 201
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4587,28 +4616,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4626,7 +4661,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize.
@@ -4635,12 +4670,6 @@ If you disable this policy setting, Microsoft Word 2013 user settings are exclud
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4659,28 +4688,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4698,7 +4733,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings.
+This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up.
@@ -4707,12 +4742,6 @@ If you disable this policy setting, certain user settings of Microsoft Word 2013
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4731,28 +4760,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4770,7 +4805,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize.
@@ -4779,12 +4814,6 @@ If you disable this policy setting, Microsoft Access 2016 user settings are excl
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4803,28 +4832,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4842,7 +4877,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up.
@@ -4851,12 +4886,7 @@ If you disable this policy setting, certain user settings of Microsoft Access 20
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4875,28 +4905,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4914,7 +4950,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.
+This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.
If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize.
@@ -4923,12 +4959,7 @@ If you disable this policy setting, the user settings which are common between t
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4947,28 +4978,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4986,7 +5023,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications.
+This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications.
Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications.
If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up.
@@ -4996,12 +5033,7 @@ If you disable this policy setting, certain user settings which are common betwe
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5020,28 +5052,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5059,7 +5097,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize.
@@ -5068,12 +5106,7 @@ If you disable this policy setting, Microsoft Excel 2016 user settings are exclu
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5092,28 +5125,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5131,7 +5170,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up.
@@ -5140,12 +5179,7 @@ If you disable this policy setting, certain user settings of Microsoft Excel 201
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5164,28 +5198,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5203,7 +5243,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize.
@@ -5212,12 +5252,7 @@ If you disable this policy setting, Microsoft Lync 2016 user settings are exclud
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5236,28 +5271,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5275,7 +5316,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up.
@@ -5284,12 +5325,7 @@ If you disable this policy setting, certain user settings of Microsoft Lync 2016
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5308,28 +5344,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5347,7 +5389,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers.
If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize.
@@ -5356,12 +5398,7 @@ If you disable this policy setting, OneDrive for Business 2016 user settings are
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5380,28 +5417,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5419,7 +5462,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers.
If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize.
@@ -5428,12 +5471,6 @@ If you disable this policy setting, Microsoft OneNote 2016 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5452,28 +5489,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5491,7 +5534,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings.
If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up.
@@ -5500,12 +5543,7 @@ If you disable this policy setting, certain user settings of Microsoft OneNote 2
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5524,28 +5562,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5563,7 +5607,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize.
@@ -5572,12 +5616,6 @@ If you disable this policy setting, Microsoft Outlook 2016 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5596,28 +5634,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5635,7 +5679,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up.
@@ -5644,12 +5688,7 @@ If you disable this policy setting, certain user settings of Microsoft Outlook 2
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5668,28 +5707,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5707,7 +5752,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers.
If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize.
@@ -5716,12 +5761,6 @@ If you disable this policy setting, Microsoft PowerPoint 2016 user settings are
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5740,28 +5779,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5779,7 +5824,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings.
If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up.
@@ -5788,12 +5833,6 @@ If you disable this policy setting, certain user settings of Microsoft PowerPoin
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5812,28 +5851,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5851,7 +5896,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2016.
+This policy setting configures the synchronization of user settings for Microsoft Project 2016.
By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize.
@@ -5861,12 +5906,7 @@ If you disable this policy setting, Microsoft Project 2016 user settings are exc
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5885,28 +5925,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5924,7 +5970,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up.
@@ -5932,12 +5978,7 @@ If you disable this policy setting, certain user settings of Microsoft Project 2
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5956,28 +5997,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5995,7 +6042,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize.
@@ -6004,12 +6051,7 @@ If you disable this policy setting, Microsoft Publisher 2016 user settings are e
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6028,28 +6070,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6067,7 +6115,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up.
@@ -6076,12 +6124,7 @@ If you disable this policy setting, certain user settings of Microsoft Publisher
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6099,28 +6142,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6138,7 +6187,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers.
If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize.
@@ -6147,12 +6196,7 @@ If you disable this policy setting, Microsoft Office 2016 Upload Center user set
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6171,28 +6215,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6210,7 +6260,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize.
@@ -6219,12 +6269,6 @@ If you disable this policy setting, Microsoft Visio 2016 user settings are exclu
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6243,28 +6287,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6282,7 +6332,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up.
@@ -6291,12 +6341,7 @@ If you disable this policy setting, certain user settings of Microsoft Visio 201
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6315,28 +6360,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6354,7 +6405,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers.
+This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize.
@@ -6363,12 +6414,6 @@ If you disable this policy setting, Microsoft Word 2016 user settings are exclud
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6387,28 +6432,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6426,7 +6477,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings.
+This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up.
@@ -6435,12 +6486,7 @@ If you disable this policy setting, certain user settings of Microsoft Word 2016
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6459,28 +6505,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6498,7 +6550,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V.
@@ -6507,12 +6559,7 @@ If you disable this policy setting, Microsoft Office 365 Access 2013 user settin
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6531,28 +6578,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6570,7 +6623,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V.
@@ -6579,12 +6632,7 @@ If you disable this policy setting, Microsoft Office 365 Access 2016 user settin
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6603,28 +6651,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6642,7 +6696,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.
If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V.
@@ -6651,12 +6705,7 @@ If you disable this policy setting, user settings which are common between the M
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6674,28 +6723,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6713,7 +6768,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.
If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V.
@@ -6722,12 +6777,7 @@ If you disable this policy setting, user settings which are common between the M
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6746,28 +6796,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6785,7 +6841,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V.
@@ -6794,12 +6850,7 @@ If you disable this policy setting, Microsoft Office 365 Excel 2013 user setting
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6818,28 +6869,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6857,7 +6914,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V.
@@ -6866,12 +6923,7 @@ If you disable this policy setting, Microsoft Office 365 Excel 2016 user setting
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6890,28 +6942,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6929,7 +6987,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V.
@@ -6937,12 +6995,7 @@ If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user sett
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -6961,28 +7014,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7000,7 +7059,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V.
@@ -7009,12 +7068,7 @@ If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7033,28 +7087,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7072,7 +7132,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V.
@@ -7081,12 +7141,7 @@ If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7105,28 +7160,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7144,7 +7205,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V.
@@ -7153,12 +7214,7 @@ If you disable this policy setting, Microsoft Office 365 OneNote 2013 user setti
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7177,28 +7233,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7216,7 +7278,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V.
@@ -7225,12 +7287,7 @@ If you disable this policy setting, Microsoft Office 365 OneNote 2016 user setti
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7249,28 +7306,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7288,7 +7351,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V.
@@ -7297,12 +7360,7 @@ If you disable this policy setting, Microsoft Office 365 Outlook 2013 user setti
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7321,28 +7379,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7360,7 +7424,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V.
@@ -7369,12 +7433,7 @@ If you disable this policy setting, Microsoft Office 365 Outlook 2016 user setti
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7393,28 +7452,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7432,7 +7497,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V.
@@ -7441,12 +7506,7 @@ If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user se
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7465,28 +7525,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7504,7 +7570,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V.
@@ -7513,12 +7579,7 @@ If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user se
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7537,28 +7598,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7576,7 +7643,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V.
@@ -7585,12 +7652,7 @@ If you disable this policy setting, Microsoft Office 365 Project 2013 user setti
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7608,28 +7670,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7647,7 +7715,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V.
@@ -7656,12 +7724,7 @@ If you disable this policy setting, Microsoft Office 365 Project 2016 user setti
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7680,28 +7743,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7719,7 +7788,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V.
@@ -7728,12 +7797,7 @@ If you disable this policy setting, Microsoft Office 365 Publisher 2013 user set
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7752,28 +7816,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7791,7 +7861,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V.
@@ -7800,12 +7870,6 @@ If you disable this policy setting, Microsoft Office 365 Publisher 2016 user set
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7824,28 +7888,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7863,7 +7933,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V.
@@ -7872,12 +7942,7 @@ If you disable this policy setting, Microsoft Office 365 SharePoint Designer 201
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -7896,28 +7961,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7935,7 +8006,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V.
@@ -7944,12 +8015,6 @@ If you disable this policy setting, Microsoft Office 365 Visio 2013 user setting
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7968,28 +8033,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8007,7 +8078,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V.
@@ -8016,12 +8087,7 @@ If you disable this policy setting, Microsoft Office 365 Visio 2016 user setting
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8040,28 +8106,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8079,7 +8151,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V.
@@ -8088,12 +8160,7 @@ If you disable this policy setting, Microsoft Office 365 Word 2013 user settings
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8112,28 +8179,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8151,7 +8224,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.
+This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V.
@@ -8160,12 +8233,7 @@ If you disable this policy setting, Microsoft Office 365 Word 2016 user settings
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8184,28 +8252,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8223,7 +8297,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers.
If you enable this policy setting, Music user settings continue to sync.
@@ -8231,12 +8305,7 @@ If you disable this policy setting, Music user settings are excluded from the sy
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8255,28 +8324,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8294,7 +8369,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers.
If you enable this policy setting, News user settings continue to sync.
@@ -8303,12 +8378,7 @@ If you disable this policy setting, News user settings are excluded from synchro
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8327,28 +8397,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8366,7 +8442,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers.
+This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers.
If you enable this policy setting, the Notepad user settings continue to synchronize.
@@ -8375,12 +8451,7 @@ If you disable this policy setting, Notepad user settings are excluded from the
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8399,28 +8470,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8438,7 +8515,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers.
If you enable this policy setting, Reader user settings continue to sync.
@@ -8448,12 +8525,7 @@ If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8472,28 +8544,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8511,19 +8589,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds.
+This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds.
If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings.
If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8542,28 +8615,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8581,19 +8660,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures where the settings package files that contain user settings are stored.
+This policy setting configures where the settings package files that contain user settings are stored.
If you enable this policy setting, the user settings are stored in the specified location.
If you disable or do not configure this policy setting, the user settings are stored in the user’s home directory if configured for your environment.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8612,28 +8686,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8651,7 +8731,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent.
+This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent.
If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
@@ -8664,12 +8744,7 @@ If you disable this policy setting, the UE-V Agent will not use the custom setti
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8688,28 +8763,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8727,7 +8808,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers.
If you enable this policy setting, Sports user settings continue to sync.
@@ -8736,12 +8817,7 @@ If you disable this policy setting, Sports user settings are excluded from synch
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8760,28 +8836,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8799,15 +8881,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier.
+This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8825,28 +8902,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8864,7 +8947,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection.
+This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection.
With this setting enabled, the UE-V Agent synchronizes settings over a metered connection.
@@ -8873,12 +8956,7 @@ With this setting disabled, the UE-V Agent does not synchronize settings over a
If you do not configure this policy setting, any defined values are deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8897,28 +8975,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8936,7 +9020,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming.
+This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming.
With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming.
@@ -8945,12 +9029,7 @@ With this setting disabled, the UE-V Agent will not synchronize settings over a
If you do not configure this policy setting, any defined values are deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -8969,28 +9048,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9008,7 +9093,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization.
+This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization.
If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages.
@@ -9017,12 +9102,7 @@ If you disable this policy setting, the sync provider doesn’t ping the setting
If you do not configure this policy, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -9041,28 +9121,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9079,7 +9165,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List.
+This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List.
With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized.
@@ -9088,12 +9174,7 @@ With this setting disabled, only the settings of the Windows apps set to synchro
If you do not configure this policy setting, any defined values are deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -9112,28 +9193,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9151,7 +9238,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers.
If you enable this policy setting, Travel user settings continue to sync.
@@ -9160,12 +9247,7 @@ If you disable this policy setting, Travel user settings are excluded from synch
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -9184,28 +9266,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9222,19 +9310,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon.
+This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon.
With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen.
If you do not configure this policy setting, any defined values are deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9253,28 +9335,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9292,7 +9380,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers.
If you enable this policy setting, Video user settings continue to sync.
@@ -9301,12 +9389,7 @@ If you disable this policy setting, Video user settings are excluded from synchr
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -9325,28 +9408,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9364,7 +9453,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers.
+This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers.
If you enable this policy setting, Weather user settings continue to sync.
@@ -9373,12 +9462,7 @@ If you disable this policy setting, Weather user settings are excluded from sync
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -9396,28 +9480,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9435,7 +9525,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers.
+This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers.
If you enable this policy setting, the WordPad user settings continue to synchronize.
@@ -9444,12 +9534,7 @@ If you disable this policy setting, WordPad user settings are excluded from the
If you do not configure this policy setting, any defined values will be deleted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -9461,7 +9546,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
index 7e23b796b2..65da2ac7ab 100644
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -13,11 +13,15 @@ manager: dansimp
---
# Policy CSP - ADMX_UserProfiles
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
## ADMX_UserProfiles policies
@@ -57,28 +61,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -95,19 +105,16 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed.
+This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days.
+
+> [!NOTE]
+> One day is interpreted as 24 hours after a specific user profile was accessed.
If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days.
If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -126,28 +133,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -164,21 +177,16 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys.
+This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys.
-Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.
+> [!NOTE]
+> This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.
If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed.
If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -197,28 +205,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -235,7 +249,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
+This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
@@ -247,12 +261,6 @@ If you disable or do not configure this policy setting, Windows will delete the
> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -271,28 +279,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -309,7 +323,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.
+This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.
If you disable this policy setting or do not configure it, the system does not limit the size of user profiles.
@@ -321,16 +335,7 @@ If you enable this policy setting, you can:
- Specify a customized message notifying users of the oversized profile.
- Determine how often the customized message is displayed.
-> [!NOTE]
-> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -349,28 +354,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -387,7 +398,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile.
+This policy setting will automatically log off a user when Windows cannot load their profile.
If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile.
@@ -398,12 +409,6 @@ If you disable this policy setting or do not configure it, Windows logs on the u
Also, see the "Delete cached copies of roaming profiles" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -422,28 +427,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -460,7 +471,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed.
+This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed.
To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined.
@@ -471,12 +482,6 @@ If you enable this policy setting, you can change how long Windows waits for a r
If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -495,28 +500,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -533,7 +544,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session.
+This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session.
If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name.
@@ -549,12 +560,6 @@ If you disable or do not configure this policy setting, the user's home folder i
If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -573,28 +578,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -611,7 +622,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information.
+This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information.
If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options:
@@ -622,12 +633,6 @@ If you enable this policy setting, sharing of user name, picture and domain info
If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -641,6 +646,4 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md
index 2d0f47d74c..ceb56a9803 100644
--- a/windows/client-management/mdm/policy-csp-admx-w32time.md
+++ b/windows/client-management/mdm/policy-csp-admx-w32time.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_W32Time
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -83,7 +93,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs.
+This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs.
If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values.
@@ -166,12 +176,7 @@ This parameter controls whether or not the chaining mechanism is disabled. If ch
This parameter controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. Default: 30 minutes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -190,28 +195,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -228,7 +239,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a set of parameters for controlling the Windows NTP Client.
+This policy setting specifies a set of parameters for controlling the Windows NTP Client.
If you enable this policy setting, you can specify the following parameters for the Windows NTP Client.
@@ -256,12 +267,7 @@ This NTP client value, expressed in seconds, controls how often a manually confi
This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -280,28 +286,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -318,7 +330,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows NTP Client is enabled.
+This policy setting specifies whether the Windows NTP Client is enabled.
Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider.
@@ -327,12 +339,7 @@ If you enable this policy setting, you can set the local computer clock to synch
If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -351,28 +358,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -389,19 +402,13 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Windows NTP Server is enabled.
+This policy setting allows you to specify whether the Windows NTP Server is enabled.
If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers.
If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -414,8 +421,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md
index 3ec0e0695a..add85c7c05 100644
--- a/windows/client-management/mdm/policy-csp-admx-wcm.md
+++ b/windows/client-management/mdm/policy-csp-admx-wcm.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_WCM
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,28 +46,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -80,19 +90,13 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that power management is disabled when the machine enters connected standby mode.
+This policy setting specifies that power management is disabled when the machine enters connected standby mode.
If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode.
If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -111,28 +115,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -149,7 +159,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows will soft-disconnect a computer from a network.
+This policy setting determines whether Windows will soft-disconnect a computer from a network.
If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network.
@@ -164,12 +174,7 @@ When soft disconnect is enabled:
This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -188,28 +193,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -226,7 +237,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed.
+This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed.
If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8.
@@ -239,12 +250,6 @@ If this policy setting is set to 3, the behavior is similar to 2. However, if th
This policy setting is related to the "Enable Windows to soft-disconnect a computer from a network" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -257,8 +262,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md
new file mode 100644
index 0000000000..900905feee
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-wdi.md
@@ -0,0 +1,185 @@
+---
+title: Policy CSP - ADMX_WDI
+description: Policy CSP - ADMX_WDI
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/09/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WDI
+
+
+
+
+## ADMX_WDI policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data.
+- If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached.
+- If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size.
+No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
+This policy setting will only take effect when the Diagnostic Policy Service is in the running state.
+When the service is stopped or disabled, diagnostic scenario data will not be deleted.
+The DPS can be configured with the Services snap-in to the Microsoft Management Console.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Diagnostics: Configure scenario retention*
+- GP name: *WdiDpsScenarioExecutionPolicy*
+- GP path: *System\Troubleshooting and Diagnostics*
+- GP ADMX file name: *WDI.admx*
+
+
+
+
+
+
+**ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios.
+
+- If you enable this policy setting, you must select an execution level from the drop-down menu.
+
+If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available.
+
+- If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS.
+
+If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Diagnostics: Configure scenario execution level*
+- GP name: *WdiDpsScenarioDataSizeLimitPolicy*
+- GP path: *System\Troubleshooting and Diagnostics*
+- GP ADMX file name: *WDI.admx*
+
+
+
+
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md
index a289a23d5b..763b758caf 100644
--- a/windows/client-management/mdm/policy-csp-admx-wincal.md
+++ b/windows/client-management/mdm/policy-csp-admx-wincal.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_WinCal
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +43,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -77,7 +87,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.
+Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.
If you enable this setting, Windows Calendar will be turned off.
@@ -86,12 +96,6 @@ If you disable or do not configure this setting, Windows Calendar will be turned
The default is for Windows Calendar to be turned on.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -112,28 +116,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -150,7 +160,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.
+Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.
If you enable this setting, Windows Calendar will be turned off.
@@ -159,12 +169,7 @@ If you disable or do not configure this setting, Windows Calendar will be turned
The default is for Windows Calendar to be turned on.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -177,8 +182,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md
deleted file mode 100644
index ab4c4a6c88..0000000000
--- a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Policy CSP - ADMX_WindowsAnytimeUpgrade
-description: Policy CSP - ADMX_WindowsAnytimeUpgrade
-ms.author: dansimp
-ms.localizationpriority: medium
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 09/29/2020
-ms.reviewer:
-manager: dansimp
----
-
-# Policy CSP - ADMX_WindowsAnytimeUpgrade
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
-
-
-
-## ADMX_WindowsAnytimeUpgrade policies
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-> * User
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. By default, Add features to Windows 10 is available for all administrators.
-
-If you enable this policy setting, the wizard will not run.
-
-If you disable this policy setting or set it to Not Configured, the wizard will run.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Prevent the wizard from running.*
-- GP name: *Disabled*
-- GP path: *Windows Components\Add features to Windows 10*
-- GP ADMX file name: *WindowsAnytimeUpgrade.admx*
-
-
-
-
-
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
-
diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
new file mode 100644
index 0000000000..fe79bb59e1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
@@ -0,0 +1,182 @@
+---
+title: Policy CSP - ADMX_WindowsColorSystem
+description: Policy CSP - ADMX_WindowsColorSystem
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/27/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WindowsColorSystem
+
+
+
+
+## ADMX_WindowsColorSystem policies
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting affects the ability of users to install or uninstall color profiles.
+
+- If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles.
+
+- If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Prohibit installing or uninstalling color profiles*
+- GP name: *ProhibitChangingInstalledProfileList_1*
+- GP path: *Windows Components\Windows Color System*
+- GP ADMX file name: *WindowsColorSystem.admx*
+
+
+
+
+
+
+**WindowsColorSystem/ProhibitChangingInstalledProfileList_2**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting affects the ability of users to install or uninstall color profiles.
+
+- If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles.
+
+- If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Prohibit installing or uninstalling color profiles*
+- GP name: *ProhibitChangingInstalledProfileList_2*
+- GP path: *Windows Components\Windows Color System*
+- GP ADMX file name: *WindowsColorSystem.admx*
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
index 80b1fb90ac..72c88fc9ca 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_WindowsConnectNow
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,28 +46,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -80,19 +90,13 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards.
+This policy setting prohibits access to Windows Connect Now (WCN) wizards.
-If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled.
+If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration-related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled.
-If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
+If you disable or don't configure this policy setting, users can access the wizard tasks. They are "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -111,28 +115,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -149,19 +159,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards.
+This policy setting prohibits access to Windows Connect Now (WCN) wizards.
-If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled.
+If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration-related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled.
-If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
+If you disable or don't configure this policy setting, users can access the wizard tasks. They are "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -180,28 +185,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -218,25 +229,20 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives.
+This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives.
-Additional options are available to allow discovery and configuration over a specific medium.
+More options are available to allow discovery and configuration over a specific medium.
-If you enable this policy setting, additional choices are available to turn off the operations over a specific medium.
+If you enable this policy setting, more choices are available to turn off the operations over a specific medium.
If you disable this policy setting, operations are disabled over all media.
-If you do not configure this policy setting, operations are enabled over all media.
+If you don't configure this policy setting, operations are enabled over all media.
The default for this policy setting allows operations over all media.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -249,8 +255,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index 7ffcac7be2..e1535033ad 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_WindowsExplorer
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -247,28 +252,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -285,7 +296,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths.
+This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths.
If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted.
@@ -295,12 +306,7 @@ If you disable or do not configure this policy setting, Folder Redirection does
> If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -320,28 +326,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -358,7 +370,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.
+This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.
If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features.
@@ -366,16 +378,9 @@ Enabling this policy will also turn off the preview pane and set the folder opti
If you disable or not configure this policy, the default File Explorer behavior is applied to the user.
-> [!NOTE]
-> In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -394,28 +399,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -432,19 +443,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin.
+Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin.
If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user.
If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -463,28 +469,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -502,19 +514,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a location where all default Library definition files for users/machines reside.
+This policy setting allows you to specify a location where all default Library definition files for users/machines reside.
If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined.
If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -533,28 +540,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -572,19 +585,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System.
+Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System.
This behavior is consistent with Windows Vista's behavior in this scenario.
This disables access to user-defined properties, and properties stored in NTFS secondary streams.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -603,28 +611,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -641,7 +655,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly.
+This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly.
If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations.
@@ -658,12 +672,7 @@ If you enable this policy, Windows Libraries features that rely on indexed file
If you disable or do not configure this policy, all default Windows Libraries features will be enabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -683,28 +692,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -721,22 +736,17 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of known folders that should be disabled.
+This policy setting allows you to specify a list of known folders that should be disabled.
Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder.
-You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos.
+You can specify a known folder using its known folder ID or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos.
> [!NOTE]
> Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -755,28 +765,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -793,7 +809,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references.
+Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references.
File Explorer shows suggestion pop-ups as users type into the Search Box.
@@ -803,12 +819,7 @@ These suggestions are based on their past entries into the Search Box.
> If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -828,28 +839,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -866,7 +883,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons.
+This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons.
If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths.
@@ -876,12 +893,7 @@ If you disable or do not configure this policy setting, file shortcut icons that
> Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -901,28 +913,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -939,7 +957,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.
+This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.
Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
@@ -955,12 +973,7 @@ If you disable this policy, SmartScreen will be turned off for all users. Users
If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -979,28 +992,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1017,7 +1036,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This setting is designed to ensure that shell extensions can operate on a per-user basis.
+This setting is designed to ensure that shell extensions can operate on a per-user basis.
If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. A shell extension only runs if there is an entry in at least one of the following locations in registry.
@@ -1026,12 +1045,7 @@ For shell extensions that have been approved by the administrator and are availa
For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1050,28 +1064,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1089,19 +1109,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened.
+This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened.
If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows.
If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1120,28 +1135,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1158,19 +1179,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the display of snippets in Content view mode.
+This policy setting allows you to turn off the display of snippets in Content view mode.
If you enable this policy setting, File Explorer will not display snippets in Content view mode.
If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1189,28 +1205,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1228,7 +1250,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1239,12 +1261,7 @@ If you do not configure this policy setting, users can preview items and get cus
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1263,28 +1280,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1302,7 +1325,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1313,12 +1336,7 @@ If you do not configure this policy setting, users can preview items and get cus
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1337,28 +1355,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1376,7 +1400,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1387,12 +1411,7 @@ If you do not configure this policy setting, users can preview items and get cus
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1411,28 +1430,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1450,7 +1475,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1461,12 +1486,7 @@ If you do not configure this policy setting, users can preview items and get cus
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1485,28 +1505,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1524,7 +1550,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1535,12 +1561,7 @@ If you do not configure this policy setting, users can preview items and get cus
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1559,28 +1580,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1598,7 +1625,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1609,12 +1636,7 @@ If you do not configure this policy setting, users can preview items and get cus
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1633,28 +1655,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1672,7 +1700,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1683,12 +1711,7 @@ If you do not configure this policy setting, users cannot preview items or get c
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1707,28 +1730,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1746,7 +1775,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1757,12 +1786,7 @@ If you do not configure this policy setting, users cannot preview items or get c
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1781,28 +1805,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1820,7 +1850,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1831,12 +1861,7 @@ If you do not configure this policy setting, users can preview items and get cus
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1855,28 +1880,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1894,7 +1925,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
@@ -1905,12 +1936,7 @@ If you do not configure this policy setting, users can preview items and get cus
Changes to this setting may not be applied until the user logs off from Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1929,28 +1955,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1968,7 +2000,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -1977,12 +2009,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2001,28 +2028,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2040,7 +2073,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2049,12 +2082,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2073,28 +2101,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2112,7 +2146,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2121,12 +2155,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2145,28 +2174,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2184,7 +2219,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2193,12 +2228,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2217,28 +2247,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2256,7 +2292,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2265,12 +2301,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2289,28 +2320,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2328,7 +2365,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2337,12 +2374,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2361,28 +2393,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2400,7 +2438,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2409,12 +2447,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2434,28 +2467,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2473,7 +2512,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2482,12 +2521,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2507,28 +2541,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2546,7 +2586,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2555,12 +2595,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2579,28 +2614,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2618,7 +2659,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
@@ -2627,12 +2668,7 @@ If you disable this policy setting, users are prevented from performing OpenSear
If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2651,28 +2687,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2689,7 +2731,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system.
+This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system.
Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server.
@@ -2698,12 +2740,7 @@ If you enable this policy setting, Windows only searches the current target path
If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2722,28 +2759,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2760,19 +2803,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened.
+This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened.
If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting.
If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2791,28 +2829,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2829,23 +2873,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs.
+Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs.
If you enable this policy setting, the Back button is removed from the standard Open dialog box.
If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open.
-> [!NOTE]
-> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2864,28 +2899,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2902,7 +2943,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC.
+This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC.
If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed.
@@ -2912,12 +2953,7 @@ If you disable or do not configure this policy setting, users are able to use th
> This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2936,28 +2972,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2974,7 +3016,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off caching of thumbnail pictures.
+This policy setting allows you to turn off caching of thumbnail pictures.
If you enable this policy setting, thumbnail views are not cached.
@@ -2984,12 +3026,7 @@ If you disable or do not configure this policy setting, thumbnail views are cach
> For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3008,28 +3045,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3046,7 +3089,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists.
+This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists.
If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users.
@@ -3055,12 +3098,7 @@ Effects, such as animation, are designed to enhance the user's experience but mi
If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3079,28 +3117,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3117,17 +3161,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT.
+Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT.
Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3146,28 +3185,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3184,19 +3229,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the DFS tab from File Explorer.
+This policy setting allows you to remove the DFS tab from File Explorer.
If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. This policy setting does not prevent users from using other methods to configure DFS.
If you disable or do not configure this policy setting, the DFS tab is available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3215,28 +3255,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3253,7 +3299,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide these specified drives in My Computer.
+This policy setting allows you to hide these specified drives in My Computer.
This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.
@@ -3265,12 +3311,7 @@ If you enable this policy setting, select a drive or combination of drives in th
If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent access to drives from My Computer" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3289,28 +3330,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3327,7 +3374,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations.
+Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations.
If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option.
@@ -3339,12 +3386,7 @@ To remove computers in the user's workgroup or domain from lists of network reso
> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3363,28 +3405,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3401,7 +3449,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the list of most recently used files from the Open dialog box.
+Removes the list of most recently used files from the Open dialog box.
If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box.
@@ -3409,16 +3457,10 @@ This setting, and others in this folder, lets you remove new features added in W
To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open.
-> [!NOTE]
-> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
+
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3437,28 +3479,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3475,17 +3523,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the File menu from My Computer and File Explorer.
+Removes the File menu from My Computer and File Explorer.
This setting does not prevent users from using other methods to perform tasks available on the File menu.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3504,28 +3547,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3542,7 +3591,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer.
+This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer.
Folder Options allows users to change the way files and folders open, what appears in the navigation pane, and other advanced view settings.
@@ -3551,12 +3600,7 @@ If you enable this policy setting, users will receive an error message if they t
If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3575,28 +3619,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3613,15 +3663,10 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device.
+Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3640,28 +3685,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3678,22 +3729,17 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer.
+Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer.
The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools.
This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management.
-> [!TIP]
+> [!NOTE]
> To hide all context menus, use the "Remove File Explorer's default context menu" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3712,28 +3758,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3750,22 +3802,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed.
+This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed.
If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer.
If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup.
-> [!NOTE]
-> The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3784,28 +3828,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3822,24 +3872,19 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from using File Explorer or Network Locations to map or disconnect network drives.
+Prevents users from using File Explorer or Network Locations to map or disconnect network drives.
If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons.
This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box.
> [!NOTE]
-> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives.
+> This setting was documented incorrectly on the Explain tab in MDM Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives.
>
> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3858,28 +3903,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3896,17 +3947,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:).
+This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:).
-If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked.
+If this MDM Policy is enabled, no notifications will be shown. If the MDM Policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3925,28 +3971,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3963,20 +4015,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs.
+Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs.
To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open.
-> [!NOTE]
-> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -3995,28 +4039,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4033,19 +4083,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior.
+When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior.
If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted.
If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4064,28 +4109,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4102,7 +4153,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from submitting alternate logon credentials to install a program.
+Prevents users from submitting alternate logon credentials to install a program.
This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.
@@ -4113,12 +4164,7 @@ If you disable this setting or do not configure it, the "Install Program As Othe
By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4137,28 +4183,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4175,19 +4227,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window.
+If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window.
If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms.
If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4206,28 +4253,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4244,19 +4297,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes the Security tab from File Explorer.
+Removes the Security tab from File Explorer.
If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question.
If you disable or do not configure this setting, users will be able to access the security tab.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4275,28 +4323,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4313,19 +4367,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window.
+This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window.
If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar.
This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4344,28 +4393,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4383,19 +4438,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order.
+This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order.
If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3).
If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4414,28 +4464,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4452,17 +4508,12 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item.
+Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item.
If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4481,28 +4532,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4519,7 +4576,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives.
+Prevents users from using My Computer to gain access to the content of selected drives.
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
@@ -4531,12 +4588,7 @@ To use this setting, select a drive or combination of drives from the drop-down
> Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4555,28 +4607,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4593,7 +4651,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer.
+Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer.
By using this setting, you can disable these Windows Key hotkeys.
@@ -4602,12 +4660,7 @@ If you enable this setting, the Windows Key hotkeys are unavailable.
If you disable or do not configure this setting, the Windows Key hotkeys are available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4626,28 +4679,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4664,7 +4723,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations.
+This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations.
If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser.
@@ -4675,12 +4734,7 @@ This policy setting does not prevent users from connecting to computers in their
To remove network computers from lists of network resources, use the "No Entire Network in Network Locations" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4699,28 +4753,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4737,7 +4797,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar.
+Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar.
The valid items you may display in the Places Bar are:
@@ -4753,16 +4813,9 @@ Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachment
If you disable or do not configure this setting the default list of items will be displayed in the Places Bar.
-> [!NOTE]
-> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4781,28 +4834,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4819,7 +4878,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Prompts users for alternate logon credentials during network-based installations.
+Prompts users for alternate logon credentials during network-based installations.
This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection.
@@ -4833,12 +4892,7 @@ If the dialog box does not appear, the installation proceeds with the current us
> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4857,28 +4911,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4895,7 +4955,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Limits the percentage of a volume's disk space that can be used to store deleted files.
+Limits the percentage of a volume's disk space that can be used to store deleted files.
If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation.
@@ -4905,12 +4965,7 @@ If you disable or do not configure this setting, users can change the total amou
> This setting is applied to all volumes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -4929,28 +4984,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4967,7 +5028,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
+This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.
@@ -4976,12 +5037,7 @@ If you disable this policy setting the protocol is in the protected mode, allowi
If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5000,28 +5056,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5038,7 +5100,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
+This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.
@@ -5047,12 +5109,7 @@ If you disable this policy setting the protocol is in the protected mode, allowi
If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5071,28 +5128,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5109,7 +5172,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Shows or hides hibernate from the power options menu.
+Shows or hides hibernate from the power options menu.
If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware).
@@ -5118,12 +5181,7 @@ If you disable this policy setting, the hibernate option will never be shown in
If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5142,28 +5200,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5180,7 +5244,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. Shows or hides sleep from the power options menu.
+Shows or hides sleep from the power options menu.
If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware).
@@ -5189,12 +5253,7 @@ If you disable this policy setting, the sleep option will never be shown in the
If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5213,28 +5272,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5251,23 +5316,18 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file.
+This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file.
You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
-The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links.
+The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via MDM Policy. The "Search the Internet" link is pinned second, if it is pinned via MDM Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" MDM Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links.
If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links.
If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5286,28 +5346,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5324,23 +5390,18 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}).
+This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}).
You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
-The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links.
+The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via MDM Policy. The "Search the Internet" link is pinned second, if it is pinned via MDM Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" MDM Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links.
If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links.
If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -5353,7 +5414,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md
deleted file mode 100644
index bc2f8b6a02..0000000000
--- a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md
+++ /dev/null
@@ -1,348 +0,0 @@
----
-title: Policy CSP - ADMX_WindowsFileProtection
-description: Policy CSP - ADMX_WindowsFileProtection
-ms.author: dansimp
-ms.localizationpriority: medium
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.date: 01/03/2021
-ms.reviewer:
-manager: dansimp
----
-
-# Policy CSP - ADMX_WindowsFileProtection
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
-
-
-
-## ADMX_WindowsFileProtection policies
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Machine
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting hides the file scan progress window. This window provides status information to sophisticated users, but it might confuse the users.
-
-- If you enable this policy setting, the file scan window does not appear during file scanning.
-- If you disable or do not configure this policy setting, the file scan progress window appears.
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Hide the file scan progress window*
-- GP name: *WFPShowProgress*
-- GP path: *Windows File Protection!SfcShowProgress*
-- GP ADMX file name: *WindowsFileProtection.admx*
-
-
-
-
-
-
-**ADMX_WindowsFileProtection/WFPQuota**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Machine
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache.
-Windows File Protection adds protected files to the cache until the cache content reaches the quota.
-If the quota is greater than 50 MB, Windows File Protection adds other important Windows XP files to the cache until the cache size reaches the quota.
-
-- If you enable this policy setting, enter the maximum amount of disk space to be used (in MB).
-To indicate that the cache size is unlimited, select "4294967295" as the maximum amount of disk space.
-
-- If you disable this policy setting or do not configure it, the default value is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003.
-> [!NOTE]
-> Icon size is dependent upon what the user has set it to in the previous session.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Limit Windows File Protection cache size*
-- GP name: *WFPQuota*
-- GP path: *System\Windows File Protection*
-- GP ADMX file name: *WindowsFileProtection.admx*
-
-
-
-
-
-
-**ADMX_WindowsFileProtection/WFPScan**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Machine
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set when Windows File Protection scans protected files.
-This policy setting directs Windows File Protection to enumerate and scan all system files for changes.
-
-- If you enable this policy setting, select a rate from the "Scanning Frequency" box.
-You can use this setting to direct Windows File Protection to scan files more often.
--- "Do not scan during startup," the default, scans files only during setup.
--- "Scan during startup" also scans files each time you start Windows XP.
-This setting delays each startup.
-
-- If you disable or do not configure this policy setting, by default, files are scanned only during setup.
-
-> [!NOTE]
-> This policy setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides.
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Set Windows File Protection scanning*
-- GP name: *WFPScan*
-- GP path: *System\Windows File Protection*
-- GP ADMX file name: *WindowsFileProtection.admx*
-
-
-
-
-
-
-**ADMX_WindowsFileProtection/WFPDllCacheDir**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Machine
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies an alternate location for the Windows File Protection cache.
-
-- If you enable this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box.
-- If you disable this setting or do not configure it, the Windows File Protection cache is located in the "%Systemroot%\System32\Dllcache directory".
-
-> [!NOTE]
-> Do not add the cache on a network shared directory.
-
-
-> [!NOTE]
-> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".
-
-If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored.
-
-> [!NOTE]
-> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead.
->
-> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Specify Windows File Protection cache location*
-- GP name: *WFPDllCacheDir*
-- GP path: *System\Windows File Protection*
-- GP ADMX file name: *WindowsFileProtection.admx*
-
-
-
-
-
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
-
-
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
index 43885e4dc8..dad60fc2d8 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_WindowsMediaDRM
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +40,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -74,7 +84,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).
+This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).
When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.
@@ -83,12 +93,7 @@ When this policy is enabled, programs are not able to acquire licenses for secur
When this policy is either disabled or not configured, Windows Media DRM functions normally and will connect to the Internet (or intranet) to acquire licenses, download security upgrades, and perform license restoration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -101,8 +106,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
index 73bedb6677..2ec079bff6 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
@@ -13,8 +13,12 @@ manager: dansimp
---
# Policy CSP - ADMX_WindowsMediaPlayer
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -96,28 +100,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -134,7 +144,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.
+This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.
If you enable this policy setting, select one of the following proxy types:
@@ -153,12 +163,7 @@ If you disable this policy setting, the HTTP proxy server cannot be used and the
If you do not configure this policy setting, users can configure the HTTP proxy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -177,28 +182,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -215,7 +226,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the MMS proxy settings for Windows Media Player.
+This policy setting allows you to specify the MMS proxy settings for Windows Media Player.
If you enable this policy setting, select one of the following proxy types:
@@ -233,12 +244,7 @@ If you disable this policy setting, the MMS proxy server cannot be used and user
If you do not configure this policy setting, users can configure the MMS proxy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -257,28 +263,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -295,7 +307,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player.
+This policy setting allows you to specify the RTSP proxy settings for Windows Media Player.
If you enable this policy setting, select one of the following proxy types:
@@ -311,12 +323,7 @@ If you disable this policy setting, the RTSP proxy server cannot be used and use
If you do not configure this policy setting, users can configure the RTSP proxy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -335,28 +342,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -373,7 +386,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off do not show first use dialog boxes.
+This policy setting allows you to turn off do not show first use dialog boxes.
If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player.
@@ -382,12 +395,7 @@ This policy setting prevents the dialog boxes which allow users to select privac
If you disable or do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -406,28 +414,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -444,19 +458,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Network tab.
+This policy setting allows you to hide the Network tab.
If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player.
If you disable or do not configure this policy setting, the Network tab appears and users can use it to configure network settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -475,28 +484,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -513,7 +528,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode.
+This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode.
If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available.
@@ -522,12 +537,7 @@ If you disable or do not configure this policy setting, users can show or hide t
If you do not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -546,28 +556,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -584,7 +600,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode.
+This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode.
This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available.
@@ -593,12 +609,7 @@ When this policy is not configured or disabled, users can show or hide the ancho
When this policy is not configured and the Set and Lock Skin policy is enabled, some options in the anchor window are not available.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -617,28 +628,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -655,7 +672,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent video smoothing from occurring.
+This policy setting allows you to prevent video smoothing from occurring.
If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available.
@@ -666,12 +683,7 @@ If you do not configure this policy setting, video smoothing occurs if necessary
Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -690,28 +702,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -728,7 +746,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows a screen saver to interrupt playback.
+This policy setting allows a screen saver to interrupt playback.
If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available.
@@ -737,12 +755,7 @@ If you disable this policy setting, a screen saver does not interrupt playback e
If you do not configure this policy setting, users can change the setting for the Allow screen saver during playback check box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -761,28 +774,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -799,7 +818,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Privacy tab in Windows Media Player.
+This policy setting allows you to hide the Privacy tab in Windows Media Player.
If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled.
@@ -808,12 +827,7 @@ The default privacy settings are used for the options on the Privacy tab unless
If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -832,28 +846,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -870,19 +890,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Security tab in Windows Media Player.
+This policy setting allows you to hide the Security tab in Windows Media Player.
If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies.
If you disable or do not configure this policy setting, users can configure the security settings on the Security tab.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -901,28 +916,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -939,7 +960,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds.
+This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds.
If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played.
@@ -951,12 +972,7 @@ The "Use default buffering" and "Buffer" options on the Performance tab in the P
If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -975,28 +991,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1013,7 +1035,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows Media Player from downloading codecs.
+This policy setting allows you to prevent Windows Media Player from downloading codecs.
If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available.
@@ -1022,12 +1044,7 @@ If you disable this policy setting, codecs are automatically downloaded and the
If you do not configure this policy setting, users can change the setting for the Download codecs automatically check box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1046,28 +1063,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1084,19 +1107,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.
+This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available.
If you disable or do not configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1115,28 +1133,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1153,19 +1177,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media sharing from Windows Media Player.
+This policy setting allows you to prevent media sharing from Windows Media Player.
If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature.
If you disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1184,28 +1203,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1222,19 +1247,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for music files from being retrieved from the Internet.
+This policy setting allows you to prevent media information for music files from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available.
If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1253,28 +1273,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1291,19 +1317,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar.
+This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar.
If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar.
If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1322,28 +1343,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1359,19 +1386,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent radio station presets from being retrieved from the Internet.
+This policy setting allows you to prevent radio station presets from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed.
If you disable or do not configure this policy setting, the Player automatically retrieves radio station presets from the Internet.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1390,28 +1412,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1428,19 +1456,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop.
+This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop.
If you enable this policy setting, users cannot add the Player shortcut icon to their desktops.
If you disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1459,28 +1482,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1497,7 +1526,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin.
+This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin.
If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab.
@@ -1508,12 +1537,7 @@ A user has access only to the Player features that are available with the specif
If you disable or do not configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1532,28 +1556,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1570,7 +1600,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services.
+This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services.
If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected.
@@ -1581,12 +1611,7 @@ If you do not configure this policy setting, users can select the protocols to u
If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1599,8 +1624,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
index 71e5c8b5aa..bb1d034198 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_WindowsRemoteManagement
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -39,31 +44,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -77,17 +89,12 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network.
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network.
If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -107,31 +114,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -145,19 +159,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly.
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly.
If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected.
If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -170,7 +179,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
index 815572c120..dd62e87f17 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
@@ -13,8 +13,15 @@ manager: dansimp
---
# Policy CSP - ADMX_WindowsStore
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
@@ -48,28 +55,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -86,19 +99,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the automatic download of app updates on PCs running Windows 8.
+This policy setting enables or disables the automatic download of app updates on PCs running Windows 8.
If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on.
If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Windows Store.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -119,31 +127,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -157,19 +172,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows.
+This policy setting enables or disables the Store offer to update to the latest version of Windows.
If you enable this setting, the Store application will not offer updates to the latest version of Windows.
If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -190,31 +200,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -228,19 +245,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows.
+This policy setting enables or disables the Store offer to update to the latest version of Windows.
If you enable this setting, the Store application will not offer updates to the latest version of Windows.
If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -251,7 +263,7 @@ ADMX Info:
-
+
@@ -261,31 +273,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -299,19 +318,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application.
+This policy setting denies or allows access to the Store application.
If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates.
If you disable or don't configure this setting, access to the Store application is allowed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -332,31 +346,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -370,19 +391,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application.
+This policy setting denies or allows access to the Store application.
If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates.
If you disable or don't configure this setting, access to the Store application is allowed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -395,6 +411,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md
index bff41ec699..65f15edfe1 100644
--- a/windows/client-management/mdm/policy-csp-admx-wininit.md
+++ b/windows/client-management/mdm/policy-csp-admx-wininit.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_WinInit
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -42,31 +47,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -80,19 +92,14 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.
+This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.
If you enable this policy setting, the system does not create the named pipe remote shutdown interface.
If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -111,31 +118,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -149,19 +163,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls the use of fast startup.
+This policy setting controls the use of fast startup.
If you enable this policy setting, the system requires hibernate to be enabled.
If you disable or do not configure this policy setting, the local setting is used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -180,31 +189,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -218,19 +234,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown.
+This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown.
If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified.
If you disable or do not configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -243,8 +254,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md
index 357f16b165..8eaf9ca043 100644
--- a/windows/client-management/mdm/policy-csp-admx-winlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_WinLogon
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -51,31 +56,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -89,7 +101,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface.
+Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface.
If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.
@@ -99,12 +111,7 @@ If you disable this setting or do not configure it, the setting is ignored and t
> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -123,31 +130,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -161,7 +175,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.
+This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.
For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.
@@ -170,12 +184,7 @@ For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows
If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -195,31 +204,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -233,7 +249,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire.
+This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire.
If you enable this setting, warnings are not displayed to the user before the logon hours expire.
@@ -243,12 +259,7 @@ If you disable or do not configure this setting, users receive warnings before t
> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -267,31 +278,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -305,7 +323,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely.
+This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely.
If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours.
@@ -317,12 +335,7 @@ If you disable or do not configure this setting, the system takes no action when
> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -341,31 +354,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -380,19 +400,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information.
+This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information.
If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials.
If disabled or not configured, no popup will be displayed to the user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -411,31 +426,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -449,7 +471,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS).
+This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS).
If you enable this policy setting, you have one of four options:
@@ -461,12 +483,7 @@ If you enable this policy setting, you have one of four options:
If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -479,7 +496,6 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md
index 30d6f460e5..d61e00df82 100644
--- a/windows/client-management/mdm/policy-csp-admx-winsrv.md
+++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_Winsrv
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -36,31 +41,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -74,7 +86,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown.
+This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown.
By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely.
@@ -85,12 +97,7 @@ By default, such applications are automatically terminated if they attempt to ca
> This policy setting applies to all sites in Trusted zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -103,8 +110,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
index 83fdd75390..15c3769dc1 100644
--- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md
+++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_wlansvc
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -42,28 +47,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -80,7 +91,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.
+This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine:
@@ -89,12 +100,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
- Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -113,28 +119,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -151,19 +163,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional.
+This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional.
Conversely it means that Push Button is NOT allowed.
If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -182,28 +189,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -220,19 +233,14 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods.
+This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods.
When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method.
If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -245,8 +253,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md
new file mode 100644
index 0000000000..d66b03aaee
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md
@@ -0,0 +1,109 @@
+---
+title: Policy CSP - ADMX_WordWheel
+description: Policy CSP - ADMX_WordWheel
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.date: 09/22/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WordWheel
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_WordWheel policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Set up the menu name and URL for the custom Internet search provider.
+
+- If you enable this setting, the specified menu name and URL will be used for Internet searches.
+- If you disable or not configure this setting, the default Internet search provider will be used.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Custom Instant Search Internet search provider*
+- GP name: *CustomSearch*
+- GP path: *Windows Components\Instant Search*
+- GP ADMX file name: *WordWheel.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
new file mode 100644
index 0000000000..35838e210e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
@@ -0,0 +1,264 @@
+---
+title: Policy CSP - ADMX_WorkFoldersClient
+description: Policy CSP - ADMX_WorkFoldersClient
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.date: 09/22/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WorkFoldersClient
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_WorkFoldersClient policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer.
+
+- If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer.
+
+This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user, Work Folders is not automatically set up.
+- If you disable or do not configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Force automatic setup for all users*
+- GP name: *Pol_UserEnableTokenBroker*
+- GP path: *Windows Components\Work Folders*
+- GP ADMX file name: *WorkFoldersClient.admx*
+
+
+
+
+
+
+
+**ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer.
+
+- If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC.
+
+If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables.
+
+> [!NOTE]
+> In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified.
+
+The “On-demand file access preference” option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don’t take up any space on the PC, but the user must be connected to the Internet to access them. If you enable this policy setting, on-demand file access is enabled.
+
+- If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user’s files is required on each of their PCs.
+
+If you specify User choice or do not configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled.
+
+The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option is not specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Specify Work Folders settings*
+- GP name: *Pol_UserEnableWorkFolders*
+- GP path: *Windows Components\Work Folders*
+- GP ADMX file name: *WorkFoldersClient.admx*
+
+
+
+
+
+
+**ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
No
+
No
+
+
+
Business
+
No
+
No
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy specifies whether Work Folders should use Token Broker for interactive AD FS authentication instead of its own OAuth2 token flow used in previous versions.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enables the use of Token Broker for AD FS authentication*
+- GP name: *Pol_MachineEnableWorkFolders*
+- GP path: *Windows Components\Work Folders*
+- GP ADMX file name: *WorkFoldersClient.admx*
+
+
+
+
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md
index 6538f66279..2cc6b9b072 100644
--- a/windows/client-management/mdm/policy-csp-admx-wpn.md
+++ b/windows/client-management/mdm/policy-csp-admx-wpn.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_WPN
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -51,31 +56,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -89,7 +101,7 @@ manager: dansimp
-Available in the latest Windows 10 Insider Preview Build. This policy setting blocks voice and video calls during Quiet Hours.
+This policy setting blocks voice and video calls during Quiet Hours.
If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings.
@@ -98,12 +110,7 @@ If you disable this policy setting, voice and video calls will be allowed during
If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -122,31 +129,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -160,7 +174,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications on the lock screen.
+This policy setting turns off toast notifications on the lock screen.
If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen.
@@ -169,12 +183,7 @@ If you disable or do not configure this policy setting, toast notifications on t
No reboots or service restarts are required for this policy setting to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -193,31 +202,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -231,7 +247,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Quiet Hours functionality.
+This policy setting turns off Quiet Hours functionality.
If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day.
@@ -240,12 +256,7 @@ If you disable this policy setting, toast notifications will be suppressed and s
If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -264,31 +275,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -302,7 +320,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications for applications.
+This policy setting turns off toast notifications for applications.
If you enable this policy setting, applications will not be able to raise toast notifications.
@@ -315,12 +333,7 @@ If you disable or do not configure this policy setting, toast notifications are
No reboots or service restarts are required for this policy setting to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -339,31 +352,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -377,7 +397,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day.
+This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day.
If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings.
@@ -386,12 +406,7 @@ If you disable this policy setting, a default value will be used, and users will
If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -410,31 +425,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -448,7 +470,7 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day.
+This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day.
If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings.
@@ -457,12 +479,7 @@ If you disable this policy setting, a default value will be used, and users will
If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -475,8 +492,7 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 87aec967af..2337443c82 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationDefaults
-description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10.
+description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -39,28 +39,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -77,9 +83,9 @@ manager: dansimp
-Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
+This policy allows an administrator to set default file type and protocol associations. When set, default associations are applied on sign in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). Then, it needs to be base64 encoded before being added to SyncML.
-If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+If policy is enabled and the client machine is having Azure Active Directory, the associations assigned in SyncML are processed and default associations are applied.
@@ -100,7 +106,7 @@ To create the SyncML, follow these steps:
Paste the base64 encoded XML into the SyncML
-Here is an example output from the dism default association export command:
+Here's an example output from the dism default association export command:
```xml
@@ -113,13 +119,13 @@ Here is an example output from the dism default association export command:
@@ -155,28 +161,34 @@ Here is the SyncMl example:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -199,7 +211,7 @@ Enabling this policy setting enables web-to-app linking so that apps can be laun
Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.
-If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
@@ -217,16 +229,7 @@ This setting supports a range of values between 0 and 1.
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 983dc1cc33..933d541866 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationManagement
-description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10.
+description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -73,28 +73,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -142,28 +148,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -211,28 +223,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -280,28 +298,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -351,28 +375,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -419,30 +449,35 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
-
@@ -458,7 +493,7 @@ Most restricted value: 0
-Added in Windows 10, version 2004.
+
Manages non-administrator users' ability to install Windows app packages.
@@ -501,23 +536,23 @@ The following list shows the supported values:
Home
-
+
❌
Pro
-
+
❌
Business
-
+
❌
Enterprise
-
1
+
✔️1
Education
-
1
+
✔️1
@@ -567,23 +602,23 @@ The following list shows the supported values:
Home
-
+
❌
Pro
-
5
+
✔️5
Business
-
5
+
✔️5
Enterprise
-
5
+
✔️5
Education
-
5
+
✔️5
@@ -638,23 +673,23 @@ For this policy to work, the Windows apps need to declare in their manifest that
Home
-
+
❌
Pro
-
4
+
✔️4
Business
-
+
❌
Enterprise
-
4
+
✔️4
Education
-
4
+
✔️4
@@ -709,23 +744,23 @@ This setting supports a range of values between 0 and 1.
Home
-
+
❌
Pro
-
4
+
✔️4
Business
-
+
❌
Enterprise
-
4
+
✔️4
Education
-
4
+
✔️4
@@ -749,9 +784,11 @@ If you enable this policy setting, privileges are extended to all programs. Thes
If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.
-Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
+> [!NOTE]
+> This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
-Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
+> [!CAUTION]
+> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
@@ -781,23 +818,23 @@ This setting supports a range of values between 0 and 1.
Home
-
+
❌
Pro
-
+
❌
Business
-
+
❌
Enterprise
-
+
✔️
Education
-
+
✔️
@@ -851,23 +888,23 @@ The following list shows the supported values:
Home
-
+
❌
Pro
-
+
✔️
Business
-
+
✔️
Enterprise
-
+
✔️
Education
-
+
✔️
@@ -919,23 +956,23 @@ The following list shows the supported values:
Home
-
+
❌
Pro
-
+
✔️
Business
-
+
✔️
Enterprise
-
+
✔️
Education
-
+
✔️
@@ -987,23 +1024,23 @@ The following list shows the supported values:
Home
-
+
❌
Pro
-
+
❌
Business
-
+
❌
Enterprise
-
5
+
✔️5
Education
-
5
+
✔️5
@@ -1100,15 +1137,6 @@ XSD:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index 5985ed58aa..3d94d24363 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - AppRuntime
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,31 +42,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -81,12 +94,7 @@ If you enable this policy setting, Windows Store apps that typically require a M
If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -99,16 +107,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 08865e0dd4..e21656192a 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - AppVirtualization
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -117,31 +123,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -158,12 +171,7 @@ manager: dansimp
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -183,28 +191,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -224,12 +238,7 @@ ADMX Info:
Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -249,28 +258,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -290,12 +305,7 @@ ADMX Info:
Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -315,28 +325,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -356,12 +372,7 @@ ADMX Info:
Enables scripts defined in the package manifest of configuration files that should run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -381,28 +392,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -422,12 +439,7 @@ ADMX Info:
Enables a UX to display to the user when a publishing refresh is performed on the client.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -447,28 +459,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -498,12 +516,7 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the
Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -523,28 +536,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -564,12 +583,7 @@ ADMX Info:
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -589,28 +603,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -630,12 +650,7 @@ ADMX Info:
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -655,28 +670,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -696,16 +717,11 @@ ADMX Info:
Specifies how new packages should be loaded automatically by App-V on a specific computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP Friendly name: *Specify what to load in background (aka AutoLoad)*
+- GP Friendly name: *Specify what to load in background (also known as AutoLoad)*
- GP name: *Steaming_Autoload*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -721,28 +737,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -762,12 +784,7 @@ ADMX Info:
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -787,28 +804,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -828,12 +851,7 @@ ADMX Info:
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -853,28 +871,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -894,12 +918,7 @@ ADMX Info:
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -919,28 +938,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -978,12 +1003,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1003,28 +1023,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1062,12 +1088,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1087,28 +1108,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1146,12 +1173,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1171,28 +1193,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1230,12 +1258,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1255,28 +1278,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1314,12 +1343,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1339,28 +1363,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1380,12 +1410,7 @@ ADMX Info:
Specifies the path to a valid certificate in the certificate store.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1405,28 +1430,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1446,12 +1477,7 @@ ADMX Info:
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1471,28 +1497,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1512,12 +1544,7 @@ ADMX Info:
Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1537,28 +1564,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1578,12 +1611,7 @@ ADMX Info:
Specifies directory where all new applications and updates will be installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1603,28 +1631,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1644,12 +1678,7 @@ ADMX Info:
Overrides source location for downloading package content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1669,28 +1698,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1710,12 +1745,7 @@ ADMX Info:
Specifies the number of seconds between attempts to reestablish a dropped session.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1735,28 +1765,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1776,12 +1812,7 @@ ADMX Info:
Specifies the number of times to retry a dropped session.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1801,28 +1832,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1842,12 +1879,7 @@ ADMX Info:
Specifies that streamed package contents will be not be saved to the local hard disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1867,28 +1899,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1908,12 +1946,7 @@ ADMX Info:
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1933,28 +1966,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1974,12 +2013,7 @@ ADMX Info:
Verifies Server certificate revocation status before streaming using HTTPS.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1999,28 +2033,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2040,12 +2080,7 @@ ADMX Info:
Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc.). Only processes whose full path matches one of these items can use virtual components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2058,16 +2093,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index aa15e81d84..227cc1205e 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -14,6 +14,13 @@ manager: dansimp
# Policy CSP - AttachmentManager
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -42,31 +49,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -89,12 +103,7 @@ If you disable this policy setting, Windows marks file attachments with their zo
If you do not configure this policy setting, Windows marks file attachments with their zone information.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -114,31 +123,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -161,12 +177,7 @@ If you disable this policy setting, Windows shows the check box and Unblock butt
If you do not configure this policy setting, Windows hides the check box and Unblock button.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -186,31 +197,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -233,12 +251,7 @@ If you disable this policy setting, Windows does not call the registered antivir
If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -251,16 +264,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 5d063b5378..4be64f929b 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Audit
-description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't log on to a computer because the account is locked out.
+description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -206,31 +206,38 @@ ms.date: 09/27/2019
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -244,11 +251,11 @@ ms.date: 09/27/2019
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out.
+This policy setting allows you to audit events generated by a failed attempt to sign in to an account that is locked out.
-If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts.
+If you configure this policy setting, an audit event is generated when an account can't sign in to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts.
-Logon events are essential for understanding user activity and to detect potential attacks.
+Sign in events are essential for understanding user activity and to detect potential attacks.
Volume: Low.
@@ -261,10 +268,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -283,31 +290,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -321,9 +335,9 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
+This policy allows you to audit the group membership information in the user's sign in token. Events in this subcategory are generated on the computer on which a sign in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event.
+When this setting is configured, one or more security audit events are generated for each successful sign in. Enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information can't fit in a single security audit event.
Volume: Low on a client computer. Medium on a domain controller or a network server.
@@ -335,10 +349,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -357,31 +371,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -395,7 +416,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
+This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation.
@@ -411,10 +432,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -433,31 +454,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -471,10 +499,10 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
+This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.
-If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation.
+If you don't configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation.
Volume: High.
@@ -486,10 +514,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -508,31 +536,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -546,9 +581,9 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
+This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
-If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation.
+If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you don't configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation.
Volume: High.
@@ -560,10 +595,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -582,31 +617,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -620,10 +662,10 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
+This policy setting allows you to audit events generated by the closing of a sign in session. These events occur on the computer that was accessed. For an interactive sign out the security audit event is generated on the computer that the user account logged on to.
-If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions.
-If you do not configure this policy setting, no audit event is generated when a logon session is closed.
+If you configure this policy setting, an audit event is generated when a sign in session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions.
+If you don't configure this policy setting, no audit event is generated when a sign in session is closed.
Volume: Low.
@@ -635,10 +677,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -657,31 +699,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -695,13 +744,13 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by user account logon attempts on the computer.
-Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
+This policy setting allows you to audit events generated by user account sign in attempts on the computer.
+Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
The following events are included:
-- Successful logon attempts.
-- Failed logon attempts.
-- Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command.
-- Security identifiers (SIDs) were filtered and not allowed to log on.
+- Successful sign in attempts.
+- Failed sign in attempts.
+- sign in attempts using explicit credentials. This event is generated when a process attempts to sign in an account by explicitly specifying that account’s credentials. This most commonly occurs in batch sign in configurations, such as scheduled tasks or when using the RUNAS command.
+- Security identifiers (SIDs) were filtered and not allowed to sign in.
Volume: Low on a client computer. Medium on a domain controller or a network server.
@@ -713,10 +762,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -735,31 +784,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -773,7 +829,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
+This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts.
If you do not configure this policy settings, IAS and NAP user access requests are not audited.
@@ -787,10 +843,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 (default) — Success+Failure
+- 0—Off/None
+- 1—Success
+- 2—Failure
+- 3 (default)—Success+Failure
@@ -809,31 +865,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -847,7 +910,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as the following:
+This policy setting allows you to audit other logon/logoff-related events that aren't covered in the “Logon/Logoff” policy setting, such as the following:
- Terminal Services session disconnections.
- New Terminal Services sessions.
- Locking and unlocking a workstation.
@@ -867,10 +930,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -889,31 +952,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -927,9 +997,9 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by special logons, such as the following:
-- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
-- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon).
+This policy setting allows you to audit events generated by special logons, such as the following:
+- The use of a special sign in, which is a sign in that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
+- A sign in by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during sign in and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon).
Volume: Low.
@@ -941,10 +1011,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -963,31 +1033,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1001,11 +1078,11 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
+This policy allows you to audit user and device claims information in the user's sign in token. Events in this subcategory are generated on the computer on which a sign in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on.
+User claims are added to a sign in token when claims are included with a user's account attributes in Active Directory. Device claims are added to the sign in token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on.
-When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event.
+When this setting is configured, one or more security audit events are generated for each successful sign in. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event.
Volume: Low on a client computer. Medium on a domain controller or a network server.
@@ -1017,10 +1094,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1039,31 +1116,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1077,7 +1161,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by validation tests on user account logon credentials.
+This policy setting allows you to audit events generated by validation tests on user account sign in credentials.
Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
@@ -1091,10 +1175,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1113,31 +1197,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1151,7 +1242,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
+This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests.
If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request.
@@ -1166,10 +1257,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1188,31 +1279,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1226,7 +1324,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.
+This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests.
If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account.
@@ -1241,10 +1339,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1263,31 +1361,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1301,7 +1406,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
+This policy setting allows you to audit events generated by responses to credential requests submitted for a user account sign in that are not credential validation or Kerberos tickets.
Currently, there are no events in this subcategory.
@@ -1314,10 +1419,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1336,31 +1441,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1374,7 +1486,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to application groups, such as the following:
+This policy setting allows you to audit events generated by changes to application groups as follows:
- Application group is created, changed, or deleted.
- Member is added or removed from an application group.
@@ -1391,10 +1503,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1413,31 +1525,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1451,7 +1570,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
+This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a computer account changes.
@@ -1466,10 +1585,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1488,31 +1607,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1526,7 +1652,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to distribution groups, such as the following:
+This policy setting allows you to audit events generated by changes to distribution groups as follows:
- Distribution group is created, changed, or deleted.
- Member is added or removed from a distribution group.
- Distribution group type is changed.
@@ -1547,10 +1673,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1569,31 +1695,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1607,7 +1740,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following:
+This policy setting allows you to audit events generated by other user account changes that are not covered in this category as follows:
- The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration.
- The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack.
- Changes to the Default Domain Group Policy under the following Group Policy paths:
@@ -1627,10 +1760,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1649,31 +1782,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1687,7 +1827,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to security groups, such as the following:
+This policy setting allows you to audit events generated by changes to security groups, such as the following:
- Security group is created, changed, or deleted.
- Member is added or removed from a security group.
- Group type is changed.
@@ -1705,10 +1845,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1727,31 +1867,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1765,8 +1912,8 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit changes to user accounts.
-Events include the following:
+This policy setting allows you to audit changes to user accounts.
+The events included are as follows:
- A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked.
- A user account’s password is set or changed.
- A security identifier (SID) is added to the SID History of a user account.
@@ -1787,10 +1934,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1809,31 +1956,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1847,7 +2001,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers.
+This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers.
Volume: High.
@@ -1860,10 +2014,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1882,31 +2036,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1920,7 +2081,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed.
+This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed.
Only AD DS objects with a matching system access control list (SACL) are logged.
@@ -1936,10 +2097,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -1958,31 +2119,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -1996,7 +2164,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted.
+This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted.
When possible, events logged in this subcategory indicate the old and new values of the object’s properties.
@@ -2018,10 +2186,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2040,31 +2208,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2078,7 +2253,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers.
+This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers.
If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication.
If you do not configure this policy setting, no audit event is generated during AD DS replication.
@@ -2096,10 +2271,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2118,31 +2293,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2156,7 +2338,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720.
+This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720.
If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI.
@@ -2171,10 +2353,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2192,31 +2374,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2230,7 +2419,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit when plug and play detects an external device.
+This policy setting allows you to audit when plug and play detects an external device.
If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category.
If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
@@ -2245,10 +2434,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2266,31 +2455,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2304,7 +2500,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited.
+This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited.
If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a process is created.
@@ -2319,10 +2515,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2340,31 +2536,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2378,7 +2581,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a process ends.
+This policy setting allows you to audit events generated when a process ends.
If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a process ends.
@@ -2393,10 +2596,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2414,31 +2617,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2452,7 +2662,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit inbound remote procedure call (RPC) connections.
+This policy setting allows you to audit inbound remote procedure call (RPC) connections.
If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted.
@@ -2467,10 +2677,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2488,31 +2698,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2526,7 +2743,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by adjusting the privileges of a token.
+This policy setting allows you to audit events generated by adjusting the privileges of a token.
Volume: High.
@@ -2538,10 +2755,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2560,31 +2777,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2598,7 +2822,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.
+This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.
Events in this subcategory include:
- Creation of an application client context.
- Deletion of an application client context.
@@ -2615,10 +2839,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2636,31 +2860,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2674,7 +2905,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object.
+This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object.
If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows:
1. Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access.
@@ -2693,10 +2924,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2715,31 +2946,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2753,7 +2991,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations.
+This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations.
AD CS operations include the following:
- AD CS startup/shutdown/backup/restore.
@@ -2783,10 +3021,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2804,31 +3042,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2842,7 +3087,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
+This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures.
@@ -2859,10 +3104,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2880,31 +3125,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2918,7 +3170,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access a shared folder.
+This policy setting allows you to audit attempts to access a shared folder.
If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures.
@@ -2935,10 +3187,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -2956,31 +3208,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -2994,7 +3253,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder).
+This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder).
If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL.
@@ -3012,10 +3271,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3033,31 +3292,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3071,7 +3337,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP).
+This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP).
The following events are included:
- The Windows Firewall Service blocks an application from accepting incoming connections on the network.
- The WFP allows a connection.
@@ -3097,10 +3363,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3118,31 +3384,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3156,7 +3429,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP).
+This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP).
Volume: High.
@@ -3169,10 +3442,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3190,31 +3463,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3228,7 +3508,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events.
+This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events.
If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a handle is manipulated.
@@ -3246,10 +3526,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3267,31 +3547,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3305,7 +3592,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores.
+This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list (SACL) generate security audit events.
> [!Note]
@@ -3321,10 +3608,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3342,31 +3629,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3380,7 +3674,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
+This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
For scheduler jobs, the following are audited:
- Job created.
- Job deleted.
@@ -3403,10 +3697,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3424,31 +3718,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3462,7 +3763,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
+This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL.
@@ -3480,10 +3781,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3501,31 +3802,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3539,7 +3847,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.
+This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.
If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts.
@@ -3554,10 +3862,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3575,31 +3883,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3613,7 +3928,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects.
+This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects.
SAM objects include the following:
- SAM_ALIAS -- A local group.
- SAM_GROUP -- A group that is not a local group.
@@ -3638,10 +3953,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3659,31 +3974,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3697,7 +4019,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the authentication policy, such as the following:
+This policy setting allows you to audit events generated by changes to the authentication policy, such as the following:
- Creation of forest and domain trusts.
- Modification of forest and domain trusts.
- Removal of forest and domain trusts.
@@ -3726,10 +4048,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3748,31 +4070,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3786,7 +4115,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the authorization policy, such as the following:
+This policy setting allows you to audit events generated by changes to the authorization policy, such as the following:
- Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory.
- Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory.
- Changes in the Encrypted File System (EFS) policy.
@@ -3806,10 +4135,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3828,31 +4157,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3866,7 +4202,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as the following:
+This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as the following:
- IPsec services status.
- Changes to IPsec policy settings.
- Changes to Windows Firewall policy settings.
@@ -3885,10 +4221,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3907,31 +4243,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -3945,7 +4288,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.
+This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.
Events include the following:
- Reporting of active policies when Windows Firewall service starts.
- Changes to Windows Firewall rules.
@@ -3967,10 +4310,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -3989,31 +4332,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4027,7 +4377,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following:
+This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following:
- Trusted Platform Module (TPM) configuration changes.
- Kernel-mode cryptographic self tests.
- Cryptographic provider operations.
@@ -4045,10 +4395,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -4067,31 +4417,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4105,7 +4462,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit changes in the security audit policy settings, such as the following:
+This policy setting allows you to audit changes in the security audit policy settings, such as the following:
- Settings permissions and audit settings on the Audit Policy object.
- Changes to the system audit policy.
- Registration of security event sources.
@@ -4128,10 +4485,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -4150,31 +4507,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4188,7 +4552,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights).
+This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights).
The following privileges are non-sensitive:
- Access Credential Manager as a trusted caller.
- Access this computer from the network.
@@ -4234,10 +4598,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -4255,31 +4619,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4304,10 +4675,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -4325,31 +4696,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4363,7 +4741,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as the following:
+This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as the following:
- A privileged service is called.
- One of the following privileges are called:
- Act as part of the operating system.
@@ -4393,10 +4771,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -4414,31 +4792,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4452,7 +4837,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by the IPsec filter driver, such as the following:
+This policy setting allows you to audit events generated by the IPsec filter driver, such as the following:
- Startup and shutdown of the IPsec services.
- Network packets dropped due to integrity check failure.
- Network packets dropped due to replay check failure.
@@ -4473,10 +4858,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -4495,31 +4880,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4533,7 +4925,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit any of the following events:
+This policy setting allows you to audit any of the following events:
- Startup and shutdown of the Windows Firewall service and driver.
- Security policy processing by the Windows Firewall Service.
- Cryptography key file and migration operations.
@@ -4548,10 +4940,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 (default) — Success+Failure
+- 0—Off/None
+- 1—Success
+- 2—Failure
+- 3 (default)—Success+Failure
@@ -4570,31 +4962,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4608,7 +5007,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events:
+This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events:
- Startup and shutdown of the computer.
- Change of system time.
- Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured.
@@ -4623,10 +5022,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 (default) — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0—Off/None
+- 1 (default)—Success
+- 2—Failure
+- 3—Success+Failure
@@ -4645,31 +5044,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4683,7 +5089,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events related to security system extensions or services, such as the following:
+This policy setting allows you to audit events related to security system extensions or services, such as the following:
- A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM.
- A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
@@ -4700,10 +5106,10 @@ GP Info:
The following are the supported values:
-- 0 (default) — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 — Success+Failure
+- 0 (default)—Off/None
+- 1—Success
+- 2—Failure
+- 3—Success+Failure
@@ -4722,31 +5128,38 @@ The following are the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -4760,7 +5173,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following:
+This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following:
- Events that could not be written to the event log because of a problem with the auditing system.
- A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space.
- The detection of a Remote Procedure Call (RPC) that compromises system integrity.
@@ -4777,10 +5190,10 @@ GP Info:
The following are the supported values:
-- 0 — Off/None
-- 1 — Success
-- 2 — Failure
-- 3 (default) — Success+Failure
+- 0—Off/None
+- 1—Success
+- 2—Failure
+- 3 (default)—Success+Failure
@@ -4792,15 +5205,6 @@ The following are the supported values:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 490bc43255..b30980d636 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -59,31 +59,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -97,7 +104,7 @@ manager: dansimp
-Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.
+Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.
@@ -117,31 +124,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -175,31 +189,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -235,31 +256,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -273,7 +301,7 @@ The following list shows the supported values:
-Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0
+Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0
Value type is integer.
@@ -297,31 +325,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
+
@@ -335,7 +370,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
+Allows secondary authentication devices to work with Windows.
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD).
@@ -367,31 +402,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -405,7 +447,7 @@ The following list shows the supported values:
-Available in Windows 10, version 1803. Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092).
+Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092).
**Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com".
@@ -429,31 +471,38 @@ Available in Windows 10, version 1803. Specifies the list of domains that are al
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -468,7 +517,7 @@ Available in Windows 10, version 1803. Specifies the list of domains that are al
> [!Warning]
-> This policy is in preview mode only and therefore not meant or recommended for production purposes.
+> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
@@ -501,31 +550,38 @@ Value type is integer. Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -540,7 +596,7 @@ Value type is integer. Supported values:
> [!Warning]
-> This policy is in preview mode only and therefore not meant or recommended for production purposes.
+> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
@@ -573,31 +629,38 @@ Value type is integer. Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -631,15 +694,6 @@ Value type is string.
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 0eca05d2bb..0223d28d59 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - Autoplay
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,31 +48,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -88,12 +101,7 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like
If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -113,31 +121,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -168,12 +183,7 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto
If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -193,31 +203,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -249,12 +266,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled.
Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -267,16 +279,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 03fcf174ca..c629f2ed81 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -39,31 +39,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -95,15 +102,6 @@ The following list shows the supported values:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 02abb3111c..087a16f215 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -57,31 +57,38 @@ If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -107,7 +114,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
-Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+> [!NOTE]
+> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -140,28 +148,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -190,7 +204,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
-Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+> [!NOTE]
+> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -223,28 +238,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -273,7 +294,8 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
-Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+> [!NOTE]
+> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -306,28 +328,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -384,28 +412,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -462,28 +496,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -540,16 +580,7 @@ Supported values range: 0 - 999
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 6426fba5e8..c209021556 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -52,31 +52,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -114,31 +121,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -176,31 +190,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
+
@@ -234,31 +255,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -272,7 +300,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios.
+This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios.
@@ -292,31 +320,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -347,31 +382,38 @@ If this policy is not set or it is deleted, the default local radio name is used
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -385,7 +427,7 @@ If this policy is not set or it is deleted, the default local radio name is used
-Added in Windows 10, version 1511. Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
+Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
The default value is an empty string. For more information, see [ServicesAllowedList usage guide](#servicesallowedlist-usage-guide)
@@ -400,31 +442,38 @@ The default value is an empty string. For more information, see [ServicesAllowed
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
8
+
Yes
+
Yes
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
+
@@ -438,7 +487,7 @@ The default value is an empty string. For more information, see [ServicesAllowed
-Added in Windows 10, version 2004. There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
+There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
@@ -458,16 +507,7 @@ For more information on allowed key sizes, refer to Bluetooth Core Specification
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 14cd612597..52ab4dd052 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -201,31 +201,38 @@ ms.localizationpriority: medium
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -272,31 +279,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -351,31 +365,38 @@ To verify AllowAutofill is set to 0 (not allowed):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
No
Business
-
4
+
Yes
+
No
Enterprise
-
4
+
Yes
+
No
Education
-
4
+
Yes
+
No
+
@@ -420,31 +441,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -499,31 +527,38 @@ To verify AllowCookies is set to 0 (not allowed):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -539,7 +574,7 @@ To verify AllowCookies is set to 0 (not allowed):
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)]
@@ -570,31 +605,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -648,31 +690,38 @@ To verify AllowDoNotTrack is set to 0 (not allowed):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
No
Business
-
1
+
Yes
+
No
Enterprise
-
1
+
Yes
+
No
Education
-
1
+
Yes
+
No
+
@@ -717,31 +766,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -786,31 +842,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -858,31 +921,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -935,31 +1005,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -1004,31 +1081,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -1077,31 +1161,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -1155,31 +1246,38 @@ To verify AllowPasswordManager is set to 0 (not allowed):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -1233,31 +1331,38 @@ To verify AllowPopups is set to 0 (not allowed):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -1311,31 +1416,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -1388,31 +1500,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -1465,31 +1584,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -1540,31 +1666,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -1610,31 +1743,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -1687,31 +1827,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -1764,31 +1911,38 @@ To verify AllowSmartScreen is set to 0 (not allowed):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -1840,31 +1994,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -1916,31 +2077,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
No
Business
-
4
+
Yes
+
No
Enterprise
-
4
+
Yes
+
No
Education
-
4
+
Yes
+
No
+
@@ -1988,31 +2156,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -2068,31 +2243,38 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -2143,31 +2325,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -2220,31 +2409,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -2301,31 +2497,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -2385,31 +2588,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -2464,31 +2674,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -2553,31 +2770,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -2631,31 +2855,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -2707,31 +2938,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
No
Business
-
4
+
Yes
+
No
Enterprise
-
4
+
Yes
+
No
Education
-
4
+
Yes
+
No
+
@@ -2776,31 +3014,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -2819,7 +3064,7 @@ Most restricted value: 0
[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)]
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
@@ -2851,31 +3096,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -2904,31 +3156,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -2944,7 +3203,7 @@ Supported values:
> [!NOTE]
-> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
+> This policy is only available for Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)]
@@ -2989,31 +3248,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
No
Business
-
3
+
Yes
+
No
Enterprise
-
3
+
Yes
+
No
Education
-
3
+
Yes
+
No
+
@@ -3060,31 +3326,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -3129,31 +3402,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -3204,31 +3484,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -3274,31 +3561,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -3344,31 +3638,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -3412,31 +3713,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -3481,31 +3789,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -3556,31 +3871,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -3596,7 +3918,7 @@ Supported values:
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)]
@@ -3627,31 +3949,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
No
Business
-
3
+
Yes
+
No
Enterprise
-
3
+
Yes
+
No
Education
-
3
+
Yes
+
No
+
@@ -3705,31 +4034,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -3748,7 +4084,7 @@ ADMX Info:
[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)]
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
@@ -3779,31 +4115,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -3857,31 +4200,38 @@ Most restricted value: 1
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -3932,31 +4282,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -4006,31 +4363,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -4049,7 +4413,7 @@ Supported values:
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
@@ -4079,31 +4443,38 @@ Most restricted value: 0
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
+
@@ -4123,7 +4494,7 @@ By default, a notification will be presented to the user informing them of this
With this policy, you can either allow (default) or suppress this notification.
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
@@ -4142,36 +4513,43 @@ Supported values:
-**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
+Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
No
Business
-
2
+
Yes
+
No
Enterprise
-
2
+
Yes
+
No
Education
-
2
+
Yes
+
No
+
@@ -4192,7 +4570,7 @@ Supported values:
[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
@@ -4230,31 +4608,38 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
No
Business
-
5
+
Yes
+
No
Enterprise
-
5
+
Yes
+
No
Education
-
5
+
Yes
+
No
+
@@ -4305,31 +4690,38 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
No
Business
-
4
+
Yes
+
No
Enterprise
-
4
+
Yes
+
No
Education
-
4
+
Yes
+
No
+
@@ -4367,15 +4759,6 @@ Most restricted value: 0
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 22a1a37ce3..3ac207a7e5 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -36,31 +36,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -97,16 +104,7 @@ The following list shows the supported values:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 7e776b0469..17a6da62e3 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - Cellular
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -48,31 +54,39 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
+
@@ -86,7 +100,7 @@ manager: dansimp
-Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data.
+This policy setting specifies whether Windows apps can access cellular data.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
@@ -128,31 +142,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -166,7 +187,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
@@ -188,31 +209,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -226,7 +254,7 @@ ADMX Info:
-Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
@@ -248,31 +276,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -286,7 +321,7 @@ ADMX Info:
-Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
@@ -308,31 +343,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -352,12 +394,7 @@ If this policy setting is enabled, a drop-down list box presenting possible valu
If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -370,16 +407,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 90a5286d6f..356d8123f7 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -14,6 +14,14 @@ manager: dansimp
# Policy CSP - Connectivity
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
@@ -73,31 +81,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -139,31 +154,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -198,31 +220,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -277,31 +306,38 @@ To validate on mobile devices, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -318,7 +354,7 @@ To validate on mobile devices, do the following:
> [!NOTE]
> This policy requires reboot to take effect.
-Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
@@ -338,31 +374,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -376,7 +419,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC.
+This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC.
If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'.
If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
@@ -413,31 +456,38 @@ Device that has previously opt-in to MMX will also stop showing on the device li
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
No
+
No
Education
-
+
No
+
No
+
@@ -478,31 +528,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -538,31 +595,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -598,31 +662,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -649,12 +720,7 @@ If you disable or do not configure this policy setting, users can choose to prin
Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -674,31 +740,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -723,12 +796,7 @@ If you enable this policy setting, print drivers cannot be downloaded over HTTP.
If you disable or do not configure this policy setting, users can download print drivers over HTTP.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -748,31 +816,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -797,12 +872,7 @@ If you disable or do not configure this policy setting, a list of providers are
See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -822,31 +892,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -860,7 +937,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com.
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com.
Value type is integer.
@@ -883,31 +960,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -926,12 +1010,7 @@ This policy setting configures secure access to UNC paths.
If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -951,31 +1030,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -998,12 +1084,7 @@ The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to
If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1017,16 +1098,6 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-- 9 - Available in Windows 10, version 2009.
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index b1e5575610..f9aea239a4 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -35,31 +35,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -73,7 +80,7 @@ manager: dansimp
-Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
+This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
> [!NOTE]
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs.
@@ -117,15 +124,6 @@ The following list shows the supported values:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index cf333911ba..d4a0c57801 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - CredentialProviders
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,31 +48,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -86,17 +99,13 @@ If you enable this policy setting, a domain user can set up and sign in with a c
If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
-Note: The user's domain password will be cached in the system vault when using this feature.
+> [!NOTE]
+> The user's domain password will be cached in the system vault when using this feature.
To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -116,31 +125,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -163,12 +179,7 @@ If you disable or don't configure this policy setting, a domain user can set up
Note that the user's domain password will be cached in the system vault when using this feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -188,31 +199,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -226,7 +244,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
+Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students.
@@ -241,16 +259,7 @@ The following list shows the supported values:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index d4806508e7..a02c13b489 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - CredentialsDelegation
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,31 +42,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -83,12 +96,7 @@ If you enable this policy setting, the host supports Restricted Admin or Remote
If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -101,16 +109,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 5fdff42127..0d294e4618 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -14,7 +14,12 @@ manager: dansimp
# Policy CSP - CredentialsUI
-
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,31 +44,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -89,12 +101,7 @@ By default, the password reveal button is displayed after a user types a passwor
The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -114,31 +121,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -159,12 +173,7 @@ If you enable this policy setting, all local administrator accounts on the PC wi
If you disable this policy setting, users will always be required to type a user name and password to elevate.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -177,16 +186,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 88e34b4df9..66af935c69 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -39,31 +39,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -108,31 +115,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -164,16 +178,7 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index afbff9a990..ed9a1f87c4 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -39,31 +39,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -99,31 +106,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -150,15 +164,6 @@ Setting used by Windows 8.1 Selective Wipe.
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 652bf56c3c..9fcd657539 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -14,7 +14,12 @@ manager: dansimp
# Policy CSP - DataUsage
-
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -52,31 +57,38 @@ This policy is deprecated in Windows 10, version 1809.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -103,12 +115,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -121,16 +128,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index c7445826de..56cd9f6c18 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -43,9 +43,6 @@ manager: dansimp
+
@@ -226,31 +230,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -296,31 +307,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -367,31 +385,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -437,31 +462,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -507,31 +539,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -577,31 +616,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -641,99 +687,44 @@ The following list shows the supported values:
-
-**Defender/AllowIntrusionPreventionSystem**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender Intrusion Prevention functionality.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
**Defender/AllowOnAccessProtection**
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -779,31 +770,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -849,31 +847,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -919,31 +924,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -981,31 +993,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -1051,31 +1070,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -1093,7 +1119,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
+This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
Value type is string.
@@ -1117,31 +1143,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -1159,7 +1192,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
+This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
@@ -1185,31 +1218,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -1256,31 +1296,38 @@ Valid values: 0–100
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -1338,31 +1385,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -1380,7 +1434,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
+This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
@@ -1418,31 +1472,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -1459,7 +1520,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
+This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
@@ -1488,31 +1549,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -1551,31 +1619,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -1592,7 +1667,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
-Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
@@ -1614,31 +1689,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -1685,31 +1767,38 @@ Valid values: 0–90
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -1765,31 +1854,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -1845,31 +1941,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -1886,7 +1989,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.
-Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
@@ -1916,31 +2019,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -1994,31 +2104,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -2035,7 +2152,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
@@ -2071,31 +2188,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2135,31 +2259,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2199,31 +2330,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2269,31 +2407,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2311,7 +2456,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
> [!NOTE]
> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
@@ -2344,31 +2489,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2419,31 +2571,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2490,31 +2649,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2567,31 +2733,38 @@ Valid values: 0–1380
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2648,31 +2821,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2725,31 +2905,38 @@ Valid values: 0–1380.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -2809,31 +2996,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -2888,31 +3082,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -2963,31 +3164,38 @@ Valid values: 0–24.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -3036,31 +3244,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -3111,16 +3326,6 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-- 9 - Available in Windows 10, version 20H2.
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index a1644a0373..b889259061 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -14,6 +14,13 @@ manager: dansimp
# Policy CSP - DeliveryOptimization
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -123,31 +130,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
+
@@ -165,7 +179,7 @@ manager: dansimp
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
+Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
The default value is 10.
@@ -189,31 +203,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -231,7 +252,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
@@ -260,31 +281,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -332,31 +360,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
8
+
Yes
+
Yes
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
+
@@ -412,31 +447,38 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -450,7 +492,7 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a
-Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
+This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600).
@@ -474,31 +516,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -547,31 +596,38 @@ Supported values: 0 - one month (in seconds)
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -618,31 +674,38 @@ Supported values: 0 - one month (in seconds)
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -656,7 +719,7 @@ Supported values: 0 - one month (in seconds)
-Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
+This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
@@ -692,31 +755,38 @@ The following list shows the supported values as number of seconds:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -766,31 +836,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -833,31 +910,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -871,7 +955,7 @@ ADMX Info:
-Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD.
+Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD.
When set, the Group ID will be assigned automatically from the selected source.
@@ -913,31 +997,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
8
+
Yes
+
Yes
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
+
@@ -975,28 +1066,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1041,31 +1138,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -1130,31 +1234,38 @@ This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptim
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
8
+
Yes
+
Yes
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
+
@@ -1211,31 +1322,38 @@ This policy is deprecated because it only applies to uploads to Internet peers (
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
+
@@ -1253,7 +1371,7 @@ This policy is deprecated because it only applies to uploads to Internet peers (
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
+Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
The default value is 500.
@@ -1277,31 +1395,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -1318,7 +1443,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
+Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
@@ -1342,31 +1467,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -1384,7 +1516,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB.
+Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB.
> [!NOTE]
> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
@@ -1411,31 +1543,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -1453,7 +1592,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB.
+Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB.
The default value is 100 MB.
@@ -1477,31 +1616,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -1519,7 +1665,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
+Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
The default value is 4 GB.
@@ -1543,31 +1689,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
+
@@ -1585,7 +1738,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
+Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
By default, %SystemDrive% is used to store the cache.
@@ -1609,31 +1762,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
+
@@ -1651,7 +1811,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
+Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
@@ -1677,31 +1837,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -1715,7 +1882,7 @@ ADMX Info:
-Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
+Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
@@ -1752,31 +1919,38 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -1790,7 +1964,7 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt
-Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
+Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
@@ -1814,31 +1988,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -1852,7 +2033,7 @@ ADMX Info:
-Added in Windows 10, version 1803. Set this policy to restrict peer selection via selected option.
+Set this policy to restrict peer selection via selected option.
Options available are: 1=Subnet mask (more options will be added in a future release).
Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2).
@@ -1883,31 +2064,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -1921,15 +2109,10 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1957,31 +2140,38 @@ This policy allows an IT Admin to define the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -1995,15 +2185,10 @@ This policy allows an IT Admin to define the following:
-Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -2024,16 +2209,6 @@ This policy allows an IT Admin to define the following:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 9a3bcc48ee..1c8ca1f094 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -14,7 +14,12 @@ manager: dansimp
# Policy CSP - Desktop
-
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,31 +41,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -81,12 +93,7 @@ By default, a user can change the location of their individual profile folders l
If you enable this setting, users are unable to type a new location in the Target box.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -99,16 +106,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 157279f8f5..a7b099ab6f 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -44,31 +44,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -121,31 +128,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -159,7 +173,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
+Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
@@ -187,31 +201,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -225,7 +246,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
+This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
@@ -255,28 +276,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -293,7 +320,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer.
+Specifies the platform security level at the next reboot. Value type is integer.
@@ -315,15 +342,6 @@ The following list shows the supported values:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 35190895c9..2d0bfe0011 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -42,31 +42,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -106,31 +113,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -169,31 +183,38 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -225,16 +246,7 @@ In most cases, an IT Pro does not need to define this policy. Instead, it is exp
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 013edacaec..c14144ccd7 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -14,6 +14,13 @@ ms.localizationpriority: medium
# Policy CSP - DeviceInstallation
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -59,31 +66,38 @@ ms.localizationpriority: medium
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -120,12 +134,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -183,31 +192,38 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -216,7 +232,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
> [!div class = "checklist"]
> * Device
-Added in Windows 10, version 1903. Also available in Windows 10, version 1809.
+
@@ -244,12 +260,7 @@ If you disable or do not configure this policy setting, and no other policy sett
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -304,31 +315,38 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -367,12 +385,7 @@ If you disable or do not configure this policy setting, and no other policy sett
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -437,31 +450,38 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -500,12 +520,7 @@ Device instance IDs > Device IDs > Device setup class > Removable devices
If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -564,31 +579,38 @@ You can also change the evaluation order of device installation policy settings
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -609,12 +631,7 @@ If you enable this policy setting, Windows does not retrieve device metadata for
If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -643,31 +660,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -691,12 +715,7 @@ If you enable this policy setting, Windows is prevented from installing or updat
If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -758,31 +777,38 @@ You can also block installation by using a custom profile in Intune.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -808,12 +834,7 @@ If you disable or do not configure this policy setting, devices can be installed
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -878,31 +899,38 @@ For example, this custom profile blocks installation and usage of USB devices wi
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
+
@@ -916,7 +944,7 @@ For example, this custom profile blocks installation and usage of USB devices wi
-Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
@@ -925,12 +953,7 @@ If you disable or do not configure this policy setting, devices can be installed
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1005,31 +1028,38 @@ with
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -1055,12 +1085,7 @@ If you disable or do not configure this policy setting, Windows can install and
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -1117,15 +1142,6 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 3df3e81293..0288d5c9c7 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -75,31 +75,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
No
+
No
Education
-
+
No
+
No
+
@@ -139,31 +146,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -204,31 +218,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -247,7 +268,7 @@ Determines the type of PIN required. This policy only applies if the **DeviceLoc
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).
+> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education).
@@ -275,31 +296,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -318,7 +346,7 @@ Specifies whether device lock is enabled.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
@@ -374,31 +402,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -441,31 +476,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -508,31 +550,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
+
@@ -546,7 +595,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
+Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
> [!NOTE]
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
@@ -565,31 +614,38 @@ Value type is a string, which is the full image filepath and filename.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -639,31 +695,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -707,31 +770,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -750,7 +820,7 @@ The number of complex element types (uppercase and lowercase letters, numbers, a
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
PIN enforces the following behavior for desktop and mobile devices:
@@ -829,31 +899,38 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -872,7 +949,7 @@ Specifies the minimum number or characters required in the PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
@@ -922,31 +999,38 @@ The following example shows how to set the minimum password length to 4 characte
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -983,31 +1067,38 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -1053,31 +1144,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
+
@@ -1117,15 +1215,6 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 12a6952ffa..d24d5b7075 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -48,31 +48,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -108,31 +115,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -188,31 +202,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
+
@@ -248,31 +269,38 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -323,31 +351,38 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
+
@@ -391,16 +426,7 @@ To validate on Desktop, do the following:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index 2ca5164a50..e16f8e14e9 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -35,31 +35,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
+
@@ -111,15 +118,6 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 7d2b8ebb1e..42ade7935c 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -44,31 +44,38 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
8
+
Yes
+
Yes
Pro
-
8
+
Yes
+
Yes
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
+
@@ -82,7 +89,7 @@ manager: dansimp
-Added in Windows 10, version 2004. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality.
+This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality.
ADMX Info:
@@ -107,31 +114,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -145,7 +159,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer.
+This policy allows IT Admins to set the user's default printer.
The policy value is expected to be the name (network host name) of an installed printer.
@@ -160,31 +174,38 @@ The policy value is expected to be the name (network host name) of an installed
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -198,7 +219,7 @@ The policy value is expected to be the name (network host name) of an installed
-Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
+Allows IT Admins to prevent user installation of additional printers from the printers settings.
@@ -226,31 +247,38 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
+
@@ -264,7 +292,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).
+Allows IT Admins to automatically provision printers based on their names (network host names).
The policy value is expected to be a `````` separated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer.
@@ -272,16 +300,7 @@ The policy value is expected to be a `````` separated list of printer na
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index af07ab44cf..ab1ce55fca 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -51,28 +51,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -89,7 +95,7 @@ manager: dansimp
-Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
+Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -106,28 +112,34 @@ The default value is an empty string. Otherwise, the value should contain the UR
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -144,7 +156,7 @@ The default value is an empty string. Otherwise, the value should contain the UR
-Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
+Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -161,28 +173,34 @@ The default value is an empty string. Otherwise, the value should contain a GUID
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -199,7 +217,7 @@ The default value is an empty string. Otherwise, the value should contain a GUID
-Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
+Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -216,28 +234,34 @@ The default value is an empty string. Otherwise, the value should contain a URL.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -254,7 +278,7 @@ The default value is an empty string. Otherwise, the value should contain a URL.
-Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
+Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -271,28 +295,34 @@ The default value is an empty string. Otherwise, the value should contain the UR
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -309,7 +339,7 @@ The default value is an empty string. Otherwise, the value should contain the UR
-Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
+Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
The datatype is an integer.
@@ -324,28 +354,34 @@ The datatype is an integer.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -362,7 +398,7 @@ The datatype is an integer.
-Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
+Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -372,16 +408,6 @@ The default value is an empty string. Otherwise, the value should contain a URL.
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index a24a91ef51..9c470e1ddf 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -14,7 +14,12 @@ manager: dansimp
# Policy CSP - ErrorReporting
-
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -48,28 +53,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -103,12 +114,6 @@ If you enable this policy setting, you can add specific event types to a list by
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -128,28 +133,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -173,12 +184,6 @@ If you enable this policy setting, Windows Error Reporting does not send any pro
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -198,28 +203,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -247,12 +258,6 @@ If you do not configure this policy setting, users can change this setting in Co
See also the Configure Error Reporting policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -272,28 +277,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -317,12 +328,6 @@ If you enable this policy setting, any additional data requests from Microsoft i
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -342,28 +347,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -387,12 +398,6 @@ If you enable this policy setting, Windows Error Reporting does not display any
If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -405,16 +410,6 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 43366ce6ff..be19cffdee 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -45,28 +45,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -92,12 +98,6 @@ If you disable or do not configure this policy setting and a log file reaches it
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -117,28 +117,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -162,12 +168,6 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -187,28 +187,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -232,12 +238,6 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -257,28 +257,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -302,12 +308,6 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -320,16 +320,6 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index ff50ae9cb0..bbbcfee611 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -37,9 +37,6 @@ manager: dansimp
@@ -252,28 +261,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -314,28 +329,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -352,7 +373,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy turns on Find My Device.
+This policy turns on Find My Device.
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
@@ -384,28 +405,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -442,65 +469,6 @@ The following list shows the supported values:
-
-
-**Experience/AllowNewsAndInterestsOnTheTaskbar**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Machine
-
-
-
-
-
-Specifies whether to allow "News and interests" on the Taskbar.
-
-
-
-The values for this policy are 1 and 0. This policy defaults to 1.
-
-- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode.
-
-- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed.
-
-
-
-
-Experience/AllowSaveAsOfOfficeFiles
@@ -531,28 +499,34 @@ This policy is deprecated.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -589,28 +563,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -630,7 +610,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
+This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
@@ -665,28 +645,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -735,28 +721,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -808,28 +800,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -880,28 +878,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -921,7 +925,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
+This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
Most restricted value is 0.
@@ -951,28 +955,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -989,7 +999,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive.
+This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive.
- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
- User Setting is changeable on a per user basis.
@@ -1021,28 +1031,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1062,7 +1078,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
+This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
Most restricted value is 0.
@@ -1093,28 +1109,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1159,28 +1181,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
Yes
Pro
-
+
No
+
Yes
Business
-
+
No
+
No
Enterprise
-
+
No
+
Yes
Education
-
+
No
+
Yes
@@ -1206,6 +1234,9 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
- 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings.
- 3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings.
+> [!NOTE]
+> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts.
+
@@ -1217,28 +1248,34 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1286,28 +1323,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
9
+
Yes
+
Yes
Pro
-
9
+
Yes
+
Yes
Business
-
9
+
Yes
+
Yes
Enterprise
-
9
+
Yes
+
Yes
Education
-
9
+
Yes
+
Yes
@@ -1356,28 +1399,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1426,28 +1475,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -1512,36 +1567,40 @@ _**Turn syncing off by default but don’t disable**_
-
-
**Experience/PreventUsersFromTurningOnBrowserSyncing**
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -1615,28 +1674,34 @@ Validation procedure:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1685,16 +1750,5 @@ Supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-- 9 - Available in Windows 10, version 20H2.
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index e192bd9e82..8e59c287d3 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -118,15 +124,5 @@ Here is an example:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md
new file mode 100644
index 0000000000..0f683d9be9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-feeds.md
@@ -0,0 +1,103 @@
+---
+title: Policy CSP - Feeds
+description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device.
+ms.author: v-nsatapathy
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.localizationpriority: medium
+ms.date: 09/17/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - Feeds
+
+
+
+
+
+## Feeds policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+This policy setting specifies whether news and interests is allowed on the device.
+
+The values for this policy are 1 and 0. This policy defaults to 1.
+
+- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode.
+
+- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable news and interests on the taskbar*
+- GP name: *FeedsEnabled*
+- GP path: *Windows Components\News and interests*
+- GP ADMX file name: *Feeds.admx*
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 82dce114b4..1c0625e677 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -14,6 +14,12 @@ manager: dansimp
# Policy CSP - FileExplorer
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +45,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -80,12 +92,6 @@ manager: dansimp
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -105,28 +111,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -145,14 +157,6 @@ ADMX Info:
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Turn off heap termination on corruption*
@@ -164,16 +168,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index f62143e2a6..8b0c46251d 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -87,16 +93,6 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 615be07c90..1051831b08 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -74,7 +80,7 @@ manager: dansimp
-Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
+This policy allows an enterprise to configure the default mode for the handwriting panel.
The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
@@ -101,16 +107,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 8222726809..df389346d7 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -799,6 +799,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -808,28 +814,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -854,12 +866,6 @@ If you enable this policy setting, the user can add and remove search providers,
If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -879,28 +885,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -925,12 +937,6 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t
If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -950,28 +956,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1002,12 +1014,6 @@ Value - A number indicating whether Internet Explorer should deny or allow the a
If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1027,28 +1033,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1074,12 +1086,6 @@ If you disable this setting the user cannot change "User name and passwords on f
If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1099,28 +1105,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1145,12 +1157,6 @@ If you enable this policy setting, the certificate address mismatch warning alwa
If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1170,28 +1176,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1220,12 +1232,6 @@ If you do not configure this policy setting, it can be configured on the General
If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1245,28 +1251,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1293,12 +1305,6 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off.
If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1318,28 +1324,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1366,12 +1378,6 @@ If you disable this policy setting, users do not receive enhanced suggestions wh
If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1402,28 +1408,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1448,12 +1460,6 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr
If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1473,28 +1479,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1519,12 +1531,6 @@ If you enable this policy setting, Internet Explorer downloads the website list
If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1544,28 +1550,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1591,12 +1603,6 @@ This policy does not affect which security protocols are enabled.
If you disable this policy, system defaults will be used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1616,28 +1622,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1662,12 +1674,6 @@ If you enable this policy setting, the user can add and remove sites from the li
If you disable or do not configure this policy setting, the user can add and remove sites from the list.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1687,28 +1693,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1735,12 +1747,6 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer
If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1760,28 +1766,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1812,12 +1824,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1837,28 +1843,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1889,12 +1901,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1914,28 +1920,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1966,12 +1978,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1991,28 +1997,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2043,12 +2055,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2068,28 +2074,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2120,12 +2132,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2145,28 +2151,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2197,12 +2209,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2222,28 +2228,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2274,12 +2286,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2299,28 +2305,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2345,12 +2357,6 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane
If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2370,28 +2376,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
7
+
Yes
+
Yes
Business
-
7
+
Yes
+
Yes
Enterprise
-
7
+
Yes
+
Yes
Education
-
7
+
Yes
+
Yes
@@ -2417,12 +2429,6 @@ This policy setting allows the administrator to enable "Save Target As" context
For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq)
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2452,28 +2458,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2509,12 +2521,6 @@ If you disable or do not configure this policy, users may choose their own site-
The list is a set of pairs of strings. Each string is separated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2559,28 +2565,34 @@ Value and index pairs in the SyncML example:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2607,12 +2619,6 @@ If you disable this policy setting, users cannot run or install files with an in
If you do not configure this policy, users can choose to run or install files with an invalid signature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2632,28 +2638,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2680,12 +2692,6 @@ If you disable this policy setting, the entry points and functionality associate
If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2705,28 +2711,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2757,12 +2769,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2782,28 +2788,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2834,12 +2846,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2859,28 +2865,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2911,12 +2923,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -2936,28 +2942,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2984,12 +2996,6 @@ If you disable this policy setting, Internet Explorer will not check server cert
If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3009,28 +3015,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3057,12 +3069,6 @@ If you disable this policy setting, Internet Explorer will not check the digital
If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3081,28 +3087,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
7
+
Yes
+
Yes
Business
-
7
+
Yes
+
Yes
Enterprise
-
7
+
Yes
+
Yes
Education
-
7
+
Yes
+
Yes
@@ -3147,12 +3159,6 @@ If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge
> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq). This update applies only to Windows 10 version 1709 and higher.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3374,28 +3380,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3424,12 +3436,6 @@ If you disable this policy setting, Internet Explorer will not require consisten
If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3449,28 +3455,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -3495,12 +3507,6 @@ This setting determines whether IE automatically downloads updated versions of M
If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3531,28 +3537,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3579,12 +3591,6 @@ If you disable, or do not configure this policy setting, Flash is turned on for
Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3604,28 +3610,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3650,12 +3662,6 @@ If you enable this policy setting, Windows Defender SmartScreen warnings block t
If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3675,28 +3681,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3721,12 +3733,6 @@ If you enable this policy setting, Windows Defender SmartScreen warnings block t
If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3746,28 +3752,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -3792,12 +3804,6 @@ If you enable this policy setting, the user cannot use the Compatibility View bu
If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3828,28 +3834,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3874,12 +3886,6 @@ If you enable this policy setting, a user cannot set the number of days that Int
If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3899,28 +3905,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3945,12 +3957,6 @@ If you enable this policy setting, a crash in Internet Explorer will exhibit beh
If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -3970,28 +3976,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4018,12 +4030,6 @@ If you disable this policy setting, the user must participate in the CEIP, and t
If you do not configure this policy setting, the user can choose to participate in the CEIP.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4043,28 +4049,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4093,12 +4105,6 @@ If you do not configure this policy setting, the user can choose whether to dele
If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4118,28 +4124,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4164,12 +4176,6 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d
If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4189,28 +4195,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4237,12 +4249,6 @@ If you disable or do not configure this policy setting, the user can select whic
Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4262,28 +4268,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -4308,12 +4320,6 @@ If you enable this policy setting, the ability to synchronize feeds and Web Slic
If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4344,28 +4350,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4394,12 +4406,6 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail
If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4419,28 +4425,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4469,12 +4481,6 @@ If you disable this policy setting, flip ahead with page prediction is turned on
If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4494,28 +4500,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -4542,12 +4554,6 @@ If you disable this policy setting, browser geolocation support is turned on.
If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4578,28 +4584,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4623,12 +4635,6 @@ If you enable this policy setting, a user cannot set a custom default home page.
If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4646,28 +4652,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
7
+
Yes
+
Yes
Business
-
7
+
Yes
+
Yes
Enterprise
-
7
+
Yes
+
Yes
Education
-
7
+
Yes
+
Yes
@@ -4699,12 +4711,6 @@ If you disable, or do not configure this policy, all sites are opened using the
> Microsoft Edge Stable Channel must be installed for this policy to take effect.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4742,28 +4748,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4788,12 +4800,6 @@ If you enable this policy setting, the user cannot continue browsing.
If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4813,28 +4819,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4863,12 +4875,6 @@ If you disable this policy setting, InPrivate Browsing is available for use.
If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4888,28 +4894,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4938,12 +4950,6 @@ If you disable this policy setting, Internet Explorer 11 will use 32-bit tab pro
If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -4963,28 +4969,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5009,12 +5021,6 @@ If you enable this policy setting, the user will not be able to configure proxy
If you disable or do not configure this policy setting, the user can configure proxy settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5034,28 +5040,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5080,12 +5092,6 @@ If you enable this policy setting, the user cannot change the default search pro
If you disable or do not configure this policy setting, the user can change the default search provider.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5105,28 +5111,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5153,12 +5165,6 @@ If you disable or do not configure this policy setting, the user can add seconda
Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5178,28 +5184,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5224,12 +5236,6 @@ If you enable this policy setting, the feature is turned off.
If you disable or do not configure this policy setting, the feature is turned on.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5249,28 +5255,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5296,12 +5308,6 @@ If you disable this policy or do not configure it, Internet Explorer checks ever
This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5321,28 +5327,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -5369,12 +5381,6 @@ If you disable this policy setting, users are suggested matches when entering We
If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5405,28 +5411,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5455,12 +5467,6 @@ If you enable this policy setting, Internet Explorer will not give the user the
If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5480,28 +5486,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5531,12 +5543,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad
Also, see the "Security zones: Use only machine settings" policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5556,28 +5562,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5607,12 +5619,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm
Also, see the "Security zones: Use only machine settings" policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5632,28 +5638,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5680,12 +5692,6 @@ If you disable or don't configure this policy setting, Internet Explorer continu
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5705,28 +5711,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5757,12 +5769,6 @@ If you disable or don't configure this policy setting, the list is deleted and I
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5782,28 +5788,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5830,12 +5842,6 @@ If you disable this policy setting, local sites which are not explicitly mapped
If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5855,28 +5861,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5903,12 +5915,6 @@ If you disable this policy setting, network paths are not necessarily mapped int
If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -5928,28 +5934,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -5976,12 +5988,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6001,28 +6007,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6049,12 +6061,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6074,28 +6080,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6120,12 +6132,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6145,28 +6151,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6195,12 +6207,6 @@ If you disable this policy setting, a script cannot perform a clipboard operatio
If you do not configure this policy setting, a script can perform a clipboard operation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6220,28 +6226,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6268,12 +6280,6 @@ If you disable this policy setting, users are prevented from dragging files or c
If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6293,28 +6299,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6341,12 +6353,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6366,28 +6372,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6414,12 +6426,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6439,28 +6445,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6487,12 +6499,6 @@ If you disable this policy setting, XAML files are not loaded inside Internet Ex
If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6512,28 +6518,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6560,12 +6572,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6585,28 +6591,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6631,12 +6643,6 @@ If you enable this policy setting, the user is prompted before ActiveX controls
If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6656,28 +6662,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6702,12 +6714,6 @@ If you enable this policy setting, the TDC ActiveX control will not run from web
If you disable this policy setting, the TDC Active X control will run from all sites in this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6727,28 +6733,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6775,12 +6787,6 @@ If you disable this policy setting, the possible harmful actions contained in sc
If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6800,28 +6806,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6848,12 +6860,6 @@ If you disable this policy setting, script access to the WebBrowser control is n
If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6873,28 +6879,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6921,12 +6933,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -6946,28 +6952,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -6996,12 +7008,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7021,28 +7027,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7067,12 +7079,6 @@ If you enable this policy setting, script is allowed to update the status bar.
If you disable or do not configure this policy setting, script is not allowed to update the status bar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7092,28 +7098,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7140,12 +7152,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7165,28 +7171,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7215,12 +7227,6 @@ If you selected Disable in the drop-down box, VBScript is prevented from running
If you do not configure or disable this policy setting, VBScript is prevented from running.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7240,28 +7246,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7288,12 +7300,6 @@ If you disable this policy setting, Internet Explorer always checks with your an
If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7313,28 +7319,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7361,12 +7373,6 @@ If you disable the policy setting, signed controls cannot be downloaded.
If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7386,28 +7392,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7434,12 +7446,6 @@ If you disable this policy setting, users cannot run unsigned controls.
If you do not configure this policy setting, users cannot run unsigned controls.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7459,28 +7465,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7505,12 +7517,6 @@ If you enable this policy setting, the XSS Filter is turned on for sites in this
If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7530,28 +7536,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7580,12 +7592,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure
In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7605,28 +7611,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7655,12 +7667,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure
In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7680,28 +7686,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7728,12 +7740,6 @@ If you disable this policy setting, the actions that may be harmful cannot run;
If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7753,28 +7759,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7801,12 +7813,6 @@ If you disable this policy setting, Protected Mode is turned off. The user canno
If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7826,28 +7832,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7874,12 +7886,6 @@ If you disable this policy setting, path information is removed when the user is
If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7899,28 +7905,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -7949,12 +7961,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -7974,28 +7980,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
+
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -8015,28 +8027,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8069,12 +8087,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, the permission is set to High Safety.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8094,28 +8106,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8142,12 +8160,6 @@ If you disable this policy setting, users are prevented from running application
If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8167,28 +8179,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8223,12 +8241,6 @@ If you disable this policy setting, logon is set to Automatic logon only in Intr
If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8248,28 +8260,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8296,12 +8314,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8321,28 +8333,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8369,12 +8387,6 @@ If you disable this policy setting, Internet Explorer will not execute signed ma
If you do not configure this policy setting, Internet Explorer will execute signed managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8394,28 +8406,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8442,12 +8460,6 @@ If you disable this policy setting, these files do not open.
If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8467,28 +8479,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8515,12 +8533,6 @@ If you disable this policy setting, pop-up windows are not prevented from appear
If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8540,28 +8552,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8588,12 +8606,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8613,28 +8625,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8661,12 +8679,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8686,28 +8698,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8732,12 +8750,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8757,28 +8769,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8805,12 +8823,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8830,28 +8842,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8878,12 +8896,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8903,28 +8915,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -8951,12 +8969,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -8976,28 +8988,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9024,12 +9042,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9049,28 +9061,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9099,12 +9117,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9124,28 +9136,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9172,12 +9190,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9197,28 +9209,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9245,12 +9263,6 @@ If you disable this policy setting, Internet Explorer always checks with your an
If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9270,28 +9282,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9320,12 +9338,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9345,28 +9357,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9399,12 +9417,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, the permission is set to Medium Safety.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9424,28 +9436,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9472,12 +9490,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9497,28 +9509,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
7
+
Yes
+
Yes
Business
-
7
+
Yes
+
Yes
Enterprise
-
7
+
Yes
+
Yes
Education
-
7
+
Yes
+
Yes
@@ -9553,12 +9571,6 @@ Related policies:
For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](/DeployEdge/edge-ie-mode-policies#configure-internet-explorer-integration)
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9596,28 +9608,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9644,12 +9662,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9669,28 +9681,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9717,12 +9735,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9742,28 +9754,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9788,12 +9806,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9813,28 +9825,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9861,12 +9879,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9886,28 +9898,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -9934,12 +9952,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -9959,28 +9971,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10007,12 +10025,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10032,28 +10044,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10080,12 +10098,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10105,28 +10117,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10155,12 +10173,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10180,28 +10192,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10228,12 +10246,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10253,28 +10265,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10301,12 +10319,6 @@ If you disable this policy setting, Internet Explorer always checks with your an
If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10326,28 +10338,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10376,12 +10394,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10401,28 +10413,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10455,12 +10473,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, the permission is set to Medium Safety.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10480,28 +10492,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10528,12 +10546,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10553,28 +10565,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10601,12 +10619,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10626,28 +10638,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10674,12 +10692,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10699,28 +10711,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10745,12 +10763,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10770,28 +10782,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10818,12 +10836,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10843,28 +10855,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10891,12 +10909,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10916,28 +10928,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -10964,12 +10982,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -10989,28 +11001,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11037,12 +11055,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11062,28 +11074,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11112,12 +11130,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11137,28 +11149,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11185,12 +11203,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11210,28 +11222,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11260,12 +11278,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11285,28 +11297,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11339,12 +11357,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11364,28 +11376,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11412,12 +11430,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11437,28 +11449,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11491,12 +11509,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11516,28 +11528,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11564,12 +11582,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11589,28 +11601,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11637,12 +11655,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11662,28 +11674,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11708,12 +11726,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11733,28 +11745,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11781,12 +11799,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11806,28 +11818,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11854,12 +11872,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11879,28 +11891,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -11927,12 +11945,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -11952,28 +11964,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12000,12 +12018,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12025,28 +12037,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12075,12 +12093,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12100,28 +12112,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12148,12 +12166,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12173,28 +12185,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12223,12 +12241,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12248,28 +12260,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12296,12 +12314,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12321,28 +12333,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12369,12 +12387,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12394,28 +12406,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12442,12 +12460,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12467,28 +12479,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12513,12 +12531,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12538,28 +12550,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12586,12 +12604,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12611,28 +12623,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12659,12 +12677,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12684,28 +12696,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12732,12 +12750,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12757,28 +12769,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12805,12 +12823,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12830,28 +12842,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12880,12 +12898,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12905,28 +12917,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -12953,12 +12971,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -12978,28 +12990,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13028,12 +13046,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13053,28 +13065,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13107,12 +13125,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13132,28 +13144,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13180,12 +13198,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13205,28 +13217,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13253,12 +13271,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13278,28 +13290,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13326,12 +13344,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13351,28 +13363,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13397,12 +13415,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13422,28 +13434,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13470,12 +13488,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13495,28 +13507,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13543,12 +13561,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13568,28 +13580,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13616,12 +13634,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13641,28 +13653,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13689,12 +13707,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13714,28 +13726,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13764,12 +13782,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13789,28 +13801,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13837,12 +13855,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13862,28 +13874,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13912,12 +13930,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -13937,28 +13949,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -13991,12 +14009,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14016,28 +14028,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14064,12 +14082,6 @@ If you disable this policy setting, users cannot open other windows and frames f
If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14089,28 +14101,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14137,12 +14155,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14162,28 +14174,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14210,12 +14228,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14235,28 +14247,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14281,12 +14299,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14306,28 +14318,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14354,12 +14372,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14379,28 +14391,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14427,12 +14445,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14452,28 +14464,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14500,12 +14518,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14525,28 +14537,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14573,12 +14591,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14598,28 +14610,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14648,12 +14666,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14673,28 +14685,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14721,12 +14739,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14746,28 +14758,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14796,12 +14814,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14821,28 +14833,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14875,12 +14893,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14900,28 +14912,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -14948,12 +14966,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -14973,28 +14985,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15021,12 +15039,6 @@ If you disable this policy setting, applications can use the MK protocol API. Re
If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15046,28 +15058,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15094,12 +15112,6 @@ If you disable this policy setting, Internet Explorer processes will allow a MIM
If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15119,28 +15131,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -15165,12 +15183,6 @@ If you enable this policy setting, you can choose which page to display when the
If you disable or do not configure this policy setting, users can select their preference for this behavior.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15204,28 +15216,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15252,12 +15270,6 @@ If you disable this policy setting, the Notification bar will not be displayed f
If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15277,28 +15289,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15323,12 +15341,6 @@ If you enable this policy setting, the user is not prompted to turn on Windows D
If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15348,28 +15360,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15394,12 +15412,6 @@ If you enable this policy setting, ActiveX controls cannot be installed on a per
If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15419,28 +15431,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15467,12 +15485,6 @@ If you disable this policy setting, no zone receives such protection for Interne
If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15492,28 +15504,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15540,12 +15558,6 @@ If you disable or don't configure this policy setting, users will see the "Run t
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15565,28 +15577,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15613,12 +15631,6 @@ If you disable this policy setting, prompting for ActiveX control installations
If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15638,28 +15650,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15686,12 +15704,6 @@ If you disable this policy setting, prompting will occur for file downloads that
If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15711,28 +15723,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15759,12 +15777,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15784,28 +15796,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15832,12 +15850,6 @@ If you disable this policy setting, script code on pages in the zone is prevente
If you do not configure this policy setting, script code on pages in the zone is prevented from running.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15857,28 +15869,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15905,12 +15923,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -15930,28 +15942,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -15976,12 +15994,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16001,28 +16013,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16049,12 +16067,6 @@ If you disable this policy setting, binary and script behaviors are not availabl
If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16074,28 +16086,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16124,12 +16142,6 @@ If you disable this policy setting, a script cannot perform a clipboard operatio
If you do not configure this policy setting, a script cannot perform a clipboard operation.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16149,28 +16161,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16197,12 +16215,6 @@ If you disable this policy setting, users are prevented from dragging files or c
If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16222,28 +16234,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16270,12 +16288,6 @@ If you disable this policy setting, files are prevented from being downloaded fr
If you do not configure this policy setting, files are prevented from being downloaded from the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16295,28 +16307,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16343,12 +16361,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16368,28 +16380,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16416,12 +16434,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16441,28 +16453,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16489,12 +16507,6 @@ If you disable this policy setting, XAML files are not loaded inside Internet Ex
If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16514,28 +16526,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16562,12 +16580,6 @@ If you disable this policy setting, a user's browser that loads a page containin
If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16587,28 +16599,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16635,12 +16653,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16660,28 +16672,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16706,12 +16724,6 @@ If you enable this policy setting, the user is prompted before ActiveX controls
If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16731,28 +16743,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16777,12 +16795,6 @@ If you enable this policy setting, the TDC ActiveX control will not run from web
If you disable this policy setting, the TDC Active X control will run from all sites in this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16802,28 +16814,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16850,12 +16868,6 @@ If you disable this policy setting, the possible harmful actions contained in sc
If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16875,28 +16887,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16923,12 +16941,6 @@ If you disable this policy setting, script access to the WebBrowser control is n
If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -16948,28 +16960,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -16996,12 +17014,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17021,28 +17033,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17071,12 +17089,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17096,28 +17108,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17142,12 +17160,6 @@ If you enable this policy setting, script is allowed to update the status bar.
If you disable or do not configure this policy setting, script is not allowed to update the status bar.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17167,28 +17179,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17215,12 +17233,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17240,28 +17252,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17290,12 +17308,6 @@ If you selected Disable in the drop-down box, VBScript is prevented from running
If you do not configure or disable this policy setting, VBScript is prevented from running.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17315,28 +17327,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17363,12 +17381,6 @@ If you disable this policy setting, Internet Explorer always checks with your an
If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17388,28 +17400,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17436,12 +17454,6 @@ If you disable the policy setting, signed controls cannot be downloaded.
If you do not configure this policy setting, signed controls cannot be downloaded.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17461,28 +17473,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17509,12 +17527,6 @@ If you disable this policy setting, users cannot run unsigned controls.
If you do not configure this policy setting, users cannot run unsigned controls.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17534,28 +17546,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17580,12 +17598,6 @@ If you enable this policy setting, the XSS Filter is turned on for sites in this
If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17605,28 +17617,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17655,12 +17673,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure
In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17680,28 +17692,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17730,12 +17748,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure
In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17755,28 +17767,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17803,12 +17821,6 @@ If you disable this policy setting, the actions that may be harmful cannot run;
If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17828,28 +17840,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17876,12 +17894,6 @@ If you disable this policy setting, path information is removed when the user is
If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17901,28 +17913,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -17951,12 +17969,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -17976,28 +17988,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18030,12 +18048,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18055,28 +18067,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18103,12 +18121,6 @@ If you disable this policy setting, users are prevented from running application
If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18128,28 +18140,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18184,12 +18202,6 @@ If you disable this policy setting, logon is set to Automatic logon only in Intr
If you do not configure this policy setting, logon is set to Prompt for username and password.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18209,28 +18221,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18257,12 +18275,6 @@ If you disable this policy setting, users cannot open other windows and frames f
If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18282,28 +18294,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18332,12 +18350,6 @@ If you disable this policy setting, controls and plug-ins are prevented from run
If you do not configure this policy setting, controls and plug-ins are prevented from running.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18357,28 +18369,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18405,12 +18423,6 @@ If you disable this policy setting, Internet Explorer will not execute signed ma
If you do not configure this policy setting, Internet Explorer will not execute signed managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18430,28 +18442,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18480,12 +18498,6 @@ If you disable this policy setting, script interaction is prevented from occurri
If you do not configure this policy setting, script interaction is prevented from occurring.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18505,28 +18517,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18555,12 +18573,6 @@ If you disable this policy setting, scripts are prevented from accessing applets
If you do not configure this policy setting, scripts are prevented from accessing applets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18580,28 +18592,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18628,12 +18646,6 @@ If you disable this policy setting, these files do not open.
If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18653,28 +18665,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18701,12 +18719,6 @@ If you disable this policy setting, Protected Mode is turned off. The user canno
If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18726,28 +18738,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18774,12 +18792,6 @@ If you disable this policy setting, pop-up windows are not prevented from appear
If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18799,28 +18811,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18847,12 +18865,6 @@ If you disable this policy setting, scripts can continue to create popup windows
If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18872,28 +18884,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18918,12 +18936,6 @@ If you enable this policy setting, the user cannot configure the list of search
If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -18943,28 +18955,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -18992,12 +19010,6 @@ This policy is intended to ensure that security zone settings apply uniformly to
Also, see the "Security zones: Do not allow users to change policies" policy.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19017,28 +19029,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
7
+
Yes
+
Yes
Business
-
7
+
Yes
+
Yes
Enterprise
-
7
+
Yes
+
Yes
Education
-
7
+
Yes
+
Yes
@@ -19066,12 +19084,6 @@ If you disable, or not configure this setting, then it opens all sites based on
> If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19111,28 +19123,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19157,12 +19175,6 @@ If you enable this policy setting, ActiveX controls are installed only if the Ac
If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19182,28 +19194,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19230,12 +19248,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19255,28 +19267,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19303,12 +19321,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19328,28 +19340,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19374,12 +19392,6 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19399,28 +19411,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19447,12 +19465,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19472,28 +19484,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19520,12 +19538,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19545,28 +19557,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19593,12 +19611,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19618,28 +19630,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19666,12 +19684,6 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19691,28 +19703,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19741,12 +19759,6 @@ If you do not configure this policy setting, the user can choose whether Windows
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19766,28 +19778,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19814,12 +19832,6 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19839,28 +19851,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19887,12 +19905,6 @@ If you disable this policy setting, Internet Explorer always checks with your an
If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19912,28 +19924,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -19962,12 +19980,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -19987,28 +19999,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -20041,12 +20059,6 @@ If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, the permission is set to Low Safety.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -20066,28 +20078,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -20114,12 +20132,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -20132,15 +20144,4 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 863153876a..d51018a42a 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -44,6 +44,13 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -104,12 +111,6 @@ If you enable this policy setting, the Kerberos client searches the forests in t
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -179,12 +180,6 @@ If you enable this policy setting, the client computers will request claims, pro
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -263,12 +258,6 @@ If you disable or do not configure this policy, each algorithm will assume the *
More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -344,12 +333,6 @@ If you enable this policy setting, the client computers in the domain enforce th
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -420,12 +403,6 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -501,12 +478,6 @@ If you disable or do not configure this policy setting, the Kerberos client or s
> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -587,16 +558,5 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index b7c4328ba0..76dcd8f06b 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -57,28 +57,34 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -95,7 +101,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
-Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
> [!NOTE]
> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -111,28 +117,34 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -149,7 +161,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
-Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
+List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
> [!NOTE]
> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -165,28 +177,34 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -203,7 +221,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
-Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
+Configures the default URL kiosk browsers to navigate on launch and restart.
> [!NOTE]
> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -219,28 +237,34 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -270,28 +294,34 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -308,7 +338,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki
-Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
+Enable/disable kiosk browser's home button.
> [!NOTE]
> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -324,28 +354,34 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -362,7 +398,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
-Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
+Enable/disable kiosk browser's navigation buttons (forward/back).
> [!NOTE]
> This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -378,28 +414,34 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -416,7 +458,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but
-Added in Windows 10, version 1803. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
@@ -427,15 +469,4 @@ The value is an int 1-1440 that specifies the amount of minutes the session is i
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index f7c4cf4015..fd3a136e36 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -74,7 +80,7 @@ manager: dansimp
-Added in Windows 10, version 1803. This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
+This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
@@ -98,16 +104,5 @@ This setting supports a range of values between 0 and 1.
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 3bc05c7260..518cd8ad84 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -39,28 +39,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -77,7 +83,7 @@ manager: dansimp
-Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
+Enables or Disable Windows license reactivation on managed devices.
@@ -105,28 +111,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -143,7 +155,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
@@ -164,16 +176,6 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 1c0cdcacb8..3be3903b4b 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -5,16 +5,15 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
+author: dansimp
ms.localizationpriority: medium
-ms.date: 05/02/2021
+ms.date: 09/29/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - LocalPoliciesSecurityOptions
-
@@ -164,11 +163,10 @@ manager: dansimp
-
> [!NOTE]
-> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md).
+> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md).
**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
@@ -304,9 +302,8 @@ This security setting determines whether local accounts that are not password pr
Default: Enabled.
-Warning:
-
-Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
+> [!WARNING]
+> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
This setting does not affect logons that use domain accounts.
@@ -524,9 +521,8 @@ Devices: Allow undock without having to log on.
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
Default: Enabled.
-Caution:
-
-Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
+> [!CAUTION]
+> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
@@ -666,7 +662,7 @@ For a computer to print to a shared printer, the driver for that shared printer
Default on servers: Enabled.
Default on workstations: Disabled
->[!Note]
+>[!NOTE]
>This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
@@ -1413,14 +1409,14 @@ If this setting is enabled, the Microsoft network client will not communicate wi
Default: Disabled.
->[!Note]
->All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+> [!Note]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
>
->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
+> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
@@ -1493,16 +1489,16 @@ If this setting is enabled, the Microsoft network client will ask the server to
Default: Enabled.
->[!Note]
->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+> [!Note]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
>
->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
-For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
+> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+> For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
@@ -1728,16 +1724,16 @@ If this setting is enabled, the Microsoft network server will not communicate wi
Default: Disabled for member servers. Enabled for domain controllers.
->[!Note]
->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+> [!NOTE]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
>
->Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
->If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
+> Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
@@ -1810,15 +1806,15 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack
Default: Enabled on domain controllers only.
->[!Note]
+> [!NOTE]
> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
>
->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
@@ -1896,8 +1892,8 @@ Disabled: No additional restrictions. Rely on default permissions.
Default on workstations: Enabled.
Default on server:Enabled.
->[!Important]
->This policy has no impact on domain controllers.
+> [!IMPORTANT]
+> This policy has no impact on domain controllers.
@@ -3189,8 +3185,9 @@ This policy setting controls the behavior of the elevation prompt for administra
The options are:
- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
- > [!NOTE]
- > Use this option only in the most constrained environments.
+
+ > [!NOTE]
+ > Use this option only in the most constrained environments.
- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@@ -3565,8 +3562,10 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
The options are:
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
- > [!NOTE]
- > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+
+ > [!NOTE]
+ > If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system has been reduced.
+
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
@@ -3798,15 +3797,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index 5f21ba8658..523f62fb82 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -34,28 +34,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
9
+
Yes
+
Yes
Business
-
9
+
Yes
+
Yes
Enterprise
-
9
+
Yes
+
Yes
Education
-
9
+
Yes
+
Yes
@@ -72,7 +78,7 @@ manager: dansimp
-Available in Windows 10, version 20H2. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.
+This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.
> [!NOTE]
> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
@@ -313,8 +319,5 @@ To troubleshoot Name/SID lookup APIs:
```
-Footnotes:
-
-Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 774ac1a21f..3300c86079 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - LockDown
-
@@ -36,28 +35,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -74,7 +79,7 @@ manager: dansimp
-Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
+Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
@@ -97,16 +102,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index ce0ddd9868..5804cac072 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -39,28 +39,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -77,7 +83,7 @@ manager: dansimp
-Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
+Allows the download and update of map data over metered connections.
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
@@ -100,28 +106,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -138,7 +150,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Disables the automatic download and update of map data.
+Disables the automatic download and update of map data.
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
@@ -162,16 +174,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index 8b8b95188e..76a0d00b63 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -74,7 +80,7 @@ manager: dansimp
-Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
@@ -96,16 +102,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 7f7e8ae961..d08161c676 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -7,15 +7,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 10/06/2020
+ms.date: 10/12/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - MixedReality
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
@@ -26,6 +23,9 @@ manager: dansimp
Steps to use this policy correctly:
1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s).
-1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s).
+1. Create a custom OMA URI-based device configuration that sets this policy value to chosen number of days (> 0) and assign it to HoloLens devices.
1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
1. The value can be between min / max allowed.
1. Enroll HoloLens devices and verify both configurations get applied to the device.
1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
-1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
+1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
> [!NOTE]
> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
@@ -82,6 +82,50 @@ Steps to use this policy correctly:
+
+**MixedReality/AutoLogonUser**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
HoloLens (1st gen) Development Edition
+
❌
+
+
+
HoloLens (1st gen) Commercial Suite
+
❌
+
+
+
HoloLens 2
+
✔️
+
+
+
+
+This new AutoLogonUser policy controls whether a user will be automatically logged on. Some customers want to set up devices that are tied to an identity but don't want any sign in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up login.
+
+When the policy is set to a non-empty value, it specifies the email address of the auto log on user. The specified user must logon to the device at least once to enable autologon.
+
+The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser`
+
+
+String value
+- User with the same email address will have autologon enabled.
+
+On a device where this policy is configured, the user specified in the policy will need to log on at least once. Subsequent reboots of the device after the first logon will have the specified user automatically logged on. Only a single autologon user is supported. Once enabled, the automatically logged on user will not be able to log out manually. To log on as a different user, the policy must first be disabled.
+
+> [!NOTE]
+>
+> - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior.
+> - Auto-logon is only supported for MSA and AAD users.
+
+
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
@@ -117,15 +161,15 @@ Supported values are 0-60. The default value is 0 (day) and maximum value is 60
HoloLens (1st gen) Development Edition
-
+
❌
HoloLens (1st gen) Commercial Suite
-
+
❌
HoloLens 2
-
9
+
✔️
@@ -170,15 +214,15 @@ The following list shows the supported values:
HoloLens (1st gen) Development Edition
-
+
❌
HoloLens (1st gen) Commercial Suite
-
+
❌
HoloLens 2
-
9
+
✔️
@@ -224,15 +268,15 @@ The following list shows the supported values:
HoloLens (1st gen) Development Edition
-
+
❌
HoloLens (1st gen) Commercial Suite
-
+
❌
HoloLens 2
-
9
+
✔️
@@ -277,15 +321,15 @@ The following list shows the supported values:
HoloLens (1st gen) Development Edition
-
+
❌
HoloLens (1st gen) Commercial Suite
-
+
❌
HoloLens 2
-
9
+
✔️
@@ -319,9 +363,4 @@ The following list shows the supported values:
-Footnotes:
-
-- 9 - Available in Windows 10, version 20H2.
-
-
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index d464f4c063..0cbb8cd1b3 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -42,6 +42,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -51,28 +57,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -91,12 +103,6 @@ manager: dansimp
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -114,28 +120,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -154,12 +166,7 @@ ADMX Info:
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -177,28 +184,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -217,12 +230,7 @@ ADMX Info:
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -240,28 +248,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -280,12 +294,7 @@ ADMX Info:
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -303,28 +312,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -343,12 +358,6 @@ ADMX Info:
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -366,28 +375,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -406,12 +421,6 @@ ADMX Info:
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -422,16 +431,6 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index d4a5030052..00d3582526 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - MSSLegacy
-
@@ -36,6 +35,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +50,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -85,12 +96,6 @@ manager: dansimp
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -108,28 +113,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -148,12 +159,7 @@ ADMX Info:
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -171,28 +177,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -211,12 +223,6 @@ ADMX Info:
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -234,28 +240,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -274,12 +286,6 @@ ADMX Info:
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -290,16 +296,7 @@ ADMX Info:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md
index 9c58b25ef3..1fd89a2f03 100644
--- a/windows/client-management/mdm/policy-csp-multitasking.md
+++ b/windows/client-management/mdm/policy-csp-multitasking.md
@@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - Multitasking
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
@@ -37,28 +34,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
9
+
Yes
+
Yes
Business
-
9
+
Yes
+
Yes
Enterprise
-
9
+
Yes
+
Yes
Education
-
9
+
Yes
+
Yes
@@ -115,17 +118,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-- 9 - Available in Windows 10, version 20H2.
-
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 8646c8830d..922e55784c 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -57,28 +57,34 @@ manager: dansimp
@@ -370,28 +400,34 @@ Here are the steps to create canonical domain names:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -430,28 +466,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -489,28 +531,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -542,15 +590,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index 9bbe04d477..955af06501 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -38,28 +38,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -89,28 +95,34 @@ This policy setting provides the list of URLs (separated by Unicode character 0x
@@ -80,7 +86,7 @@ manager: dansimp
-Added in Windows 10, version 1803. This policy setting blocks applications from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview).
+This policy setting blocks applications from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview).
If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs.
@@ -123,28 +129,34 @@ Validation:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -161,7 +173,7 @@ Validation:
-Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
+Boolean value that turns off notification mirroring.
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
@@ -193,28 +205,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -231,7 +249,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. This policy setting turns off tile notifications.
+This policy setting turns off tile notifications.
If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen.
@@ -262,15 +280,5 @@ Validation:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index c9c793a619..367d969417 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -90,6 +90,13 @@ manager: dansimp
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -99,28 +106,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -144,12 +157,6 @@ If you enable or do not configure this policy setting, Windows uses standby stat
If you disable this policy setting, standby states (S1-S3) are not allowed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -169,28 +176,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -214,12 +227,6 @@ If you enable or do not configure this policy setting, Windows uses standby stat
If you disable this policy setting, standby states (S1-S3) are not allowed.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -239,28 +246,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -277,7 +290,7 @@ ADMX Info:
-Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+This policy setting allows you to specify the period of inactivity before Windows turns off the display.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
@@ -286,12 +299,6 @@ If you disable or do not configure this policy setting, users control this setti
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -311,28 +318,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -349,7 +362,7 @@ ADMX Info:
-Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+This policy setting allows you to specify the period of inactivity before Windows turns off the display.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
@@ -358,12 +371,6 @@ If you disable or do not configure this policy setting, users control this setti
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -383,28 +390,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -422,7 +435,7 @@ ADMX Info:
-Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on.
+This policy setting allows you to specify battery charge level at which Energy Saver is turned on.
If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level.
@@ -457,28 +470,34 @@ Supported values: 0-100. The default is 70.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -495,7 +514,7 @@ Supported values: 0-100. The default is 70.
-Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on.
+This policy setting allows you to specify battery charge level at which Energy Saver is turned on.
If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level.
@@ -530,28 +549,34 @@ Supported values: 0-100. The default is 70.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -568,7 +593,7 @@ Supported values: 0-100. The default is 70.
-Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
@@ -577,12 +602,6 @@ If you disable or do not configure this policy setting, users control this setti
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -602,28 +621,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -640,7 +665,7 @@ ADMX Info:
-Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
@@ -649,12 +674,7 @@ If you disable or do not configure this policy setting, users control this setti
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -674,28 +694,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -719,12 +745,6 @@ If you enable or do not configure this policy setting, the user is prompted for
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -744,28 +764,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -789,12 +815,6 @@ If you enable or do not configure this policy setting, the user is prompted for
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -814,28 +834,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -852,7 +878,7 @@ ADMX Info:
-Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
+This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
If you enable this policy setting, you must select the desired action.
@@ -893,28 +919,34 @@ The following are the supported lid close switch actions (on battery):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -931,7 +963,7 @@ The following are the supported lid close switch actions (on battery):
-Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
+This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
If you enable this policy setting, you must select the desired action.
@@ -972,28 +1004,34 @@ The following are the supported lid close switch actions (plugged in):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1010,7 +1048,7 @@ The following are the supported lid close switch actions (plugged in):
-Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button.
+This policy setting specifies the action that Windows takes when a user presses the Power button.
If you enable this policy setting, you must select the desired action.
@@ -1051,28 +1089,34 @@ The following are the supported Power button actions (on battery):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1089,7 +1133,7 @@ The following are the supported Power button actions (on battery):
-Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button.
+This policy setting specifies the action that Windows takes when a user presses the Power button.
If you enable this policy setting, you must select the desired action.
@@ -1130,28 +1174,34 @@ The following are the supported Power button actions (plugged in):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1168,7 +1218,7 @@ The following are the supported Power button actions (plugged in):
-Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button.
+This policy setting specifies the action that Windows takes when a user presses the Sleep button.
If you enable this policy setting, you must select the desired action.
@@ -1209,28 +1259,34 @@ The following are the supported Sleep button actions (on battery):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1247,7 +1303,7 @@ The following are the supported Sleep button actions (on battery):
-Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button.
+This policy setting specifies the action that Windows takes when a user presses the Sleep button.
If you enable this policy setting, you must select the desired action.
@@ -1288,28 +1344,34 @@ The following are the supported Sleep button actions (plugged in):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1326,7 +1388,7 @@ The following are the supported Sleep button actions (plugged in):
-Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
@@ -1335,12 +1397,6 @@ If you disable or do not configure this policy setting, users control this setti
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1360,28 +1416,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1398,7 +1460,7 @@ ADMX Info:
-Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
@@ -1407,12 +1469,6 @@ If you disable or do not configure this policy setting, users control this setti
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1432,28 +1488,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1470,7 +1532,7 @@ ADMX Info:
-Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep.
+This policy setting allows you to turn off hybrid sleep.
If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By).
@@ -1508,28 +1570,34 @@ The following are the supported values for Hybrid sleep (on battery):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1546,7 +1614,7 @@ The following are the supported values for Hybrid sleep (on battery):
-Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep.
+This policy setting allows you to turn off hybrid sleep.
If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By).
@@ -1584,28 +1652,34 @@ The following are the supported values for Hybrid sleep (plugged in):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1622,7 +1696,7 @@ The following are the supported values for Hybrid sleep (plugged in):
-Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.
+This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.
@@ -1660,28 +1734,34 @@ Default value for unattended sleep timeout (on battery):
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1698,7 +1778,7 @@ Default value for unattended sleep timeout (on battery):
-Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.
+This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.
@@ -1729,17 +1809,6 @@ Default value for unattended sleep timeout (plugged in):
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-- 9 - Available in Windows 10, version 20H2.
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 90268db913..3902457217 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -33,6 +33,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,28 +48,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -83,29 +95,34 @@ manager: dansimp
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
--Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
--You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
+
+- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
+
+- You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
If you do not configure this policy setting:
--Windows Vista client computers can point and print to any server.
--Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
+
+- Windows Vista client computers can point and print to any server.
+
+- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
+
+- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
+
+- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
If you disable this policy setting:
--Windows Vista client computers can create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
--The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
+
+- Windows Vista client computers can create a printer connection to any server using Point and Print.
+
+- Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
+
+- Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
+
+- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
+
+- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -116,8 +133,9 @@ ADMX Info:
-Example
-```
+Example:
+
+```xml
Name: Point and Print Enable Oma-URI: ./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions
Data type: String Value:
@@ -137,28 +155,34 @@ Data type: String Value:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -178,30 +202,34 @@ Data type: String Value:
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
--Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
--You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
+
+- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
+
+- You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
If you do not configure this policy setting:
--Windows Vista client computers can point and print to any server.
--Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
+
+- Windows Vista client computers can point and print to any server.
+
+- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
+
+- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
+
+- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
If you disable this policy setting:
--Windows Vista client computers can create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
--The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
+
+- Windows Vista client computers can create a printer connection to any server using Point and Print.
+
+- Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
+
+- Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
+
+- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
+
+- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
ADMX Info:
- GP Friendly name: *Point and Print Restrictions*
@@ -220,28 +248,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -267,12 +301,6 @@ If you disable this setting, this computer's shared printers cannot be published
Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -285,16 +313,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 681623a2d3..2bd04dd32e 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -303,28 +303,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -367,28 +373,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -405,7 +417,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1809. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device.
+Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device.
Most restricted value is 0.
@@ -435,28 +447,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -503,28 +521,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -541,7 +565,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Enables or disables the Advertising ID.
+Enables or disables the Advertising ID.
Most restricted value is 0.
@@ -572,28 +596,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -647,28 +677,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -685,7 +721,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
+Allows IT Admins to allow Apps/OS to publish to the activity feed.
@@ -713,28 +749,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -751,7 +793,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
+Specifies whether Windows apps can access account information.
Most restricted value is 2.
@@ -784,28 +826,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -822,7 +870,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -844,28 +892,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -882,7 +936,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -904,28 +958,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -942,7 +1002,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -964,28 +1024,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
No
+
No
Education
-
+
No
+
No
@@ -1001,8 +1067,7 @@ ADMX Info:
-
-Added in Windows 10, version 1903.
+
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2.
@@ -1038,28 +1103,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
No
+
No
Education
-
+
No
+
No
@@ -1076,7 +1147,6 @@ The following list shows the supported values:
-Added in Windows 10, version 1903.
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2.
@@ -1107,28 +1177,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
No
+
No
Education
-
+
No
+
No
@@ -1145,7 +1221,6 @@ ADMX Info:
-Added in Windows 10, version 1903.
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2.
@@ -1176,28 +1251,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
+
No
+
No
Enterprise
-
+
No
+
No
Education
-
+
No
+
No
@@ -1213,8 +1294,7 @@ ADMX Info:
-
-Added in Windows 10, version 1903.
+
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2.
@@ -1246,28 +1326,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1284,7 +1370,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
+Specifies whether Windows apps can access the calendar.
Most restricted value is 2.
@@ -1317,28 +1403,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1355,7 +1447,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -1377,28 +1469,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1415,7 +1513,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -1437,28 +1535,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1475,7 +1579,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -1497,28 +1601,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1535,7 +1645,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
+Specifies whether Windows apps can access call history.
Most restricted value is 2.
@@ -1568,28 +1678,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1606,7 +1722,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -1628,28 +1744,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1666,7 +1788,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -1688,28 +1810,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1726,7 +1854,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -1748,28 +1876,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1786,7 +1920,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
+Specifies whether Windows apps can access the camera.
Most restricted value is 2.
@@ -1819,28 +1953,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1857,7 +1997,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1879,28 +2019,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1917,7 +2063,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1939,28 +2085,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1977,7 +2129,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1999,28 +2151,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2037,7 +2195,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
+Specifies whether Windows apps can access contacts.
Most restricted value is 2.
@@ -2070,28 +2228,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2108,7 +2272,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -2130,28 +2294,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2168,7 +2338,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -2190,28 +2360,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2228,7 +2404,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -2250,28 +2426,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2288,7 +2470,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
+Specifies whether Windows apps can access email.
Most restricted value is 2.
@@ -2321,28 +2503,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2359,7 +2547,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -2381,28 +2569,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2419,7 +2613,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -2441,28 +2635,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2479,7 +2679,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -2501,28 +2701,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -2552,28 +2758,34 @@ This policy setting specifies whether Windows apps can access the eye tracker.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -2603,28 +2815,34 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -2654,28 +2872,34 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -2705,28 +2929,34 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2743,7 +2973,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
-Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
+Specifies whether Windows apps can access location.
Most restricted value is 2.
@@ -2776,28 +3006,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2814,7 +3050,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -2836,28 +3072,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2874,7 +3116,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -2896,28 +3138,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2934,7 +3182,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -2956,28 +3204,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2994,7 +3248,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
+Specifies whether Windows apps can read or send messages (text or MMS).
Most restricted value is 2.
@@ -3027,28 +3281,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3065,7 +3325,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -3087,28 +3347,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3125,7 +3391,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -3147,28 +3413,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3185,7 +3457,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -3207,28 +3479,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3245,7 +3523,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
+Specifies whether Windows apps can access the microphone.
Most restricted value is 2.
@@ -3278,28 +3556,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3316,7 +3600,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -3338,28 +3622,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3376,7 +3666,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -3398,28 +3688,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3436,7 +3732,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -3458,28 +3754,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3496,7 +3798,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
+Specifies whether Windows apps can access motion data.
Most restricted value is 2.
@@ -3529,28 +3831,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3567,7 +3875,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -3589,28 +3897,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3627,7 +3941,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -3649,28 +3963,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3687,7 +4007,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -3709,28 +4029,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3747,7 +4073,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
+Specifies whether Windows apps can access notifications.
Most restricted value is 2.
@@ -3780,28 +4106,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3818,7 +4150,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -3840,28 +4172,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3878,7 +4216,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -3900,28 +4238,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3938,7 +4282,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -3960,28 +4304,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3998,7 +4348,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
+Specifies whether Windows apps can make phone calls.
Most restricted value is 2.
@@ -4031,28 +4381,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4069,7 +4425,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -4091,28 +4447,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4129,7 +4491,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -4151,28 +4513,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4189,7 +4557,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -4211,28 +4579,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4249,7 +4623,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
+Specifies whether Windows apps have access to control radios.
Most restricted value is 2.
@@ -4282,28 +4656,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4320,7 +4700,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -4342,28 +4722,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4380,7 +4766,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -4402,28 +4788,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4440,7 +4832,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -4462,28 +4854,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -4500,7 +4898,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+Specifies whether Windows apps can access tasks.
@@ -4522,28 +4920,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -4560,7 +4964,7 @@ ADMX Info:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -4582,28 +4986,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -4620,7 +5030,7 @@ ADMX Info:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -4642,28 +5052,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -4680,7 +5096,7 @@ ADMX Info:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -4702,28 +5118,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4740,7 +5162,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
+Specifies whether Windows apps can access trusted devices.
Most restricted value is 2.
@@ -4773,28 +5195,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4811,7 +5239,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -4833,28 +5261,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4871,7 +5305,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -4893,28 +5327,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4931,7 +5371,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -4953,28 +5393,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
6
+
Yes
+
Yes
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -5021,28 +5467,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
6
+
Yes
+
Yes
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -5089,28 +5541,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -5127,7 +5585,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
+Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
Most restricted value is 2.
@@ -5160,28 +5618,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -5198,7 +5662,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -5220,28 +5684,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -5258,7 +5728,7 @@ ADMX Info:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -5280,28 +5750,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -5318,7 +5794,7 @@ ADMX Info:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -5340,28 +5816,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -5378,7 +5860,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
+Specifies whether Windows apps can run in the background.
Most restricted value is 2.
@@ -5413,28 +5895,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -5451,7 +5939,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -5473,28 +5961,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -5511,7 +6005,7 @@ ADMX Info:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -5533,28 +6027,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
2
+
Yes
+
Yes
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -5571,7 +6071,7 @@ ADMX Info:
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -5593,28 +6093,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -5631,7 +6137,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
+Specifies whether Windows apps can sync with devices.
Most restricted value is 2.
@@ -5664,28 +6170,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -5702,7 +6214,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -5724,28 +6236,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -5762,7 +6280,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -5784,28 +6302,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
1
+
Yes
+
Yes
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -5822,7 +6346,7 @@ ADMX Info:
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -5844,28 +6368,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -5882,7 +6412,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
+Allows It Admins to enable publishing of user activities to the activity feed.
@@ -5910,28 +6440,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -5962,16 +6498,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index a515e2b28f..ae89315829 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - RemoteAssistance
-
-
@@ -36,6 +34,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -96,12 +106,6 @@ If you disable this policy setting, the user sees the default warning message.
If you do not configure this policy setting, the user sees the default warning message.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -121,28 +125,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -168,12 +178,6 @@ If you disable this policy setting, log files are not generated.
If you do not configure this setting, application-based settings are used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -193,28 +197,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -248,12 +258,6 @@ The "Select the method for sending email invitations" setting specifies which em
If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -273,28 +277,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -351,12 +361,6 @@ Port 135:TCP
Allow Remote Desktop Exception
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -369,16 +373,4 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
-
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index a33ad83d33..ca8fb82fd6 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -42,6 +42,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -51,28 +57,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -102,12 +114,6 @@ Note: You can limit which clients are able to connect remotely by using Remote D
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -127,28 +133,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -182,12 +194,6 @@ Important
FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -207,28 +213,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -256,12 +268,6 @@ If you disable this policy setting, client drive redirection is always allowed.
If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -281,28 +287,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -326,12 +338,6 @@ If you enable this setting the password saving checkbox in Remote Desktop Connec
If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -351,28 +357,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -402,12 +414,6 @@ If you disable this policy setting, users can always log on to Remote Desktop Se
If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -427,28 +433,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -478,12 +490,6 @@ If the status is set to Not Configured, unsecured communication is allowed.
Note: The RPC interface is used for administering and configuring Remote Desktop Services.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -496,16 +502,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index fae950baec..9907ee6993 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -69,6 +69,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -78,28 +84,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -123,12 +135,6 @@ If you enable this policy setting, the WinRM client uses Basic authentication. I
If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -148,28 +154,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -193,12 +205,6 @@ If you enable this policy setting, the WinRM service accepts Basic authenticatio
If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -218,28 +224,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -263,12 +275,6 @@ If you enable this policy setting, the WinRM client uses CredSSP authentication.
If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -288,28 +294,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -333,12 +345,6 @@ If you enable this policy setting, the WinRM service accepts CredSSP authenticat
If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -358,28 +364,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -416,12 +428,6 @@ Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -441,28 +447,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -486,12 +498,6 @@ If you enable this policy setting, the WinRM client sends and receives unencrypt
If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -511,28 +517,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -556,12 +568,6 @@ If you enable this policy setting, the WinRM client sends and receives unencrypt
If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -581,28 +587,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -626,12 +638,6 @@ If you enable this policy setting, the WinRM client does not use Digest authenti
If you disable or do not configure this policy setting, the WinRM client uses Digest authentication.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -651,28 +657,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -696,12 +708,6 @@ If you enable this policy setting, the WinRM client does not use Negotiate authe
If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -721,28 +727,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -766,12 +778,6 @@ If you enable this policy setting, the WinRM service does not accept Negotiate a
If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -791,28 +797,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -838,12 +850,6 @@ If you disable or do not configure this policy setting, the WinRM service will a
If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -863,28 +869,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -914,12 +926,6 @@ If HardeningLevel is set to Relaxed (default value), any request containing an i
If HardeningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks).
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -939,28 +945,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -984,12 +996,6 @@ If you enable this policy setting, the WinRM client uses the list specified in T
If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1009,28 +1015,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1058,12 +1070,6 @@ When certain port 80 listeners are migrated to WinRM 2.0, the listener port numb
A listener might be automatically created on port 80 to ensure backward compatibility.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1083,28 +1089,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1132,12 +1144,6 @@ When certain port 443 listeners are migrated to WinRM 2.0, the listener port num
A listener might be automatically created on port 443 to ensure backward compatibility.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1150,16 +1156,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 493027a454..97e1b5f232 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - RemoteProcedureCall
-
@@ -30,6 +29,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +44,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -88,12 +99,6 @@ If you do not configure this policy setting, it remains disabled. RPC clients w
Note: This policy will not be applied until the system is rebooted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -113,28 +118,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -161,21 +172,16 @@ If you do not configure this policy setting, it remains disabled. The RPC serve
If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
--- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
+- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
--- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
+- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
--- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
+- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
-Note: This policy setting will not be applied until the system is rebooted.
+> [!NOTE]
+> This policy setting will not be applied until the system is rebooted.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -188,16 +194,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index ac6201611a..0b5ec4947a 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - RemoteShell
-
@@ -45,6 +44,12 @@ manager: dansimp
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -54,28 +59,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -99,12 +110,6 @@ If you enable or do not configure this policy setting, new remote shell connecti
If you set this policy to ‘disabled’, new remote shell connections are rejected by the server.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -124,28 +129,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -171,12 +182,6 @@ If you enable this policy setting, the new shell connections are rejected if the
If you disable or do not configure this policy setting, the default number is five users.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -196,28 +201,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -243,12 +254,6 @@ If you enable this policy setting, the server will wait for the specified amount
If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -268,28 +273,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -315,12 +326,6 @@ If you enable this policy setting, the remote operation is terminated when a new
If you disable or do not configure this policy setting, the value 150 is used by default.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -340,28 +345,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -385,12 +396,6 @@ If you enable this policy setting, you can specify any number from 0 to 0x7FFFFF
If you disable or do not configure this policy setting, the limit is five processes per shell.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -410,28 +415,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -457,12 +468,6 @@ If you enable this policy setting, the user cannot open new remote shells if the
If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -482,28 +487,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -523,12 +534,6 @@ ADMX Info:
This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -541,16 +546,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 6e60b430b9..96c9e4ff03 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -15,7 +15,7 @@ manager: dansimp
# Policy CSP - RestrictedGroups
> [!IMPORTANT]
-> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
+> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
@@ -38,28 +38,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -132,7 +138,8 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and
Here's an example:
-```
+
+```xml
@@ -144,13 +151,18 @@ Here's an example:
```
+
where:
+
- `` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``.
+
- `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+
- In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
> [!NOTE]
> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in the previous example.
+
@@ -171,15 +183,4 @@ The following table describes how this policy setting behaves in different Windo
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index b3290f82dc..8eb0dbe3ea 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - Search
-
@@ -72,28 +71,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -110,7 +115,7 @@ manager: dansimp
-Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
+Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
@@ -138,28 +143,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -180,28 +191,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -252,28 +269,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -324,28 +347,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -403,28 +432,34 @@ This policy has been deprecated.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -472,28 +507,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -523,28 +564,34 @@ Allow Windows indexer. Value type is integer.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -592,28 +639,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -658,28 +711,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -728,28 +787,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -766,7 +831,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Don't search the web or display web results in Search.
+Don't search the web or display web results in Search.
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search.
@@ -799,28 +864,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -869,28 +940,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -929,16 +1006,6 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 13eb6fdc71..792dab97f1 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -62,28 +62,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -117,46 +123,11 @@ The following list shows the supported values:
**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
> [!NOTE]
-> This policy has been deprecated in Windows 10, version 1607
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
+>
+> - This policy is deprecated in Windows 10, version 1607.
+> - This policy is only enforced in Windows 10 for desktop.
Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
@@ -178,28 +149,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -236,28 +213,33 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -277,7 +259,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
@@ -305,28 +287,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -343,7 +331,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Configures the use of passwords for Windows features.
+Configures the use of passwords for Windows features.
> [!Note]
> This policy is only supported in Windows 10 S.
@@ -367,28 +355,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -431,28 +425,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -470,7 +470,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1809. This policy controls the Admin Authentication requirement in RecoveryEnvironment.
+This policy controls the Admin Authentication requirement in RecoveryEnvironment.
Supported values:
- 0 - Default: Keep using default(current) behavior
@@ -520,28 +520,34 @@ If the MDM policy is set to "NoRequireAuthentication" (2)
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -584,28 +590,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -642,28 +654,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -705,15 +723,5 @@ The following list shows the supported values:
-Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 8f43acb2ab..accdd88186 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -34,28 +34,34 @@ ms.date: 09/27/2019
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
No
+
No
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -113,15 +119,4 @@ Supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 7152934f2d..69c7b52c83 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Settings
-
-
@@ -72,28 +70,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -137,28 +141,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -198,28 +208,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -256,28 +272,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -318,28 +340,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -380,28 +408,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -442,28 +476,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -504,28 +544,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -566,28 +612,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -624,28 +676,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -686,28 +744,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -744,28 +808,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -782,7 +852,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
+Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
@@ -812,28 +882,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -851,18 +927,18 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons.
+Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For additional information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
showonly:about;bluetooth
-If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
+If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (that is, treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
-- There are two variants: one that shows only the given pages and one which hides the given pages.
+- There are two variants: one that shows only the given pages and one that hides the given pages.
- The first variant starts with the string "showonly:" and the second with the string "hide:".
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
@@ -888,7 +964,7 @@ ADMX Info:
-To validate on Desktop, do the following:
+To validate on Desktop, use the following steps:
1. Open System Settings and verify that the About page is visible and accessible.
2. Configure the policy with the following string: "hide:about".
@@ -898,15 +974,5 @@ To validate on Desktop, do the following:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 3f4e279889..e7db6a71e2 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - SmartScreen
-
@@ -42,28 +41,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -80,7 +85,7 @@ manager: dansimp
-Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
+Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
> [!Note]
> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.
This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
@@ -111,28 +116,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -149,7 +160,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
+Allows IT Admins to configure SmartScreen for Windows.
@@ -177,28 +188,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -215,7 +232,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.
+Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.
@@ -237,16 +254,4 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
-
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index 59b7531703..40c0182de2 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - Speech
-
@@ -36,28 +35,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -74,7 +79,7 @@ manager: dansimp
-Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
+Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
@@ -95,16 +100,6 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 6e910385fe..588586543f 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -122,28 +122,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -160,7 +166,7 @@ manager: dansimp
-Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
+This policy controls the visibility of the Documents shortcut on the Start menu.
@@ -181,28 +187,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -219,7 +231,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
+This policy controls the visibility of the Downloads shortcut on the Start menu.
@@ -240,28 +252,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -278,7 +296,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
+This policy controls the visibility of the File Explorer shortcut on the Start menu.
@@ -299,28 +317,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -337,7 +361,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
+This policy controls the visibility of the HomeGroup shortcut on the Start menu.
@@ -358,28 +382,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -396,7 +426,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
+This policy controls the visibility of the Music shortcut on the Start menu.
@@ -417,28 +447,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -455,7 +491,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
+This policy controls the visibility of the Network shortcut on the Start menu.
@@ -476,28 +512,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -514,7 +556,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
+This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
@@ -535,28 +577,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -573,7 +621,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
+This policy controls the visibility of the Pictures shortcut on the Start menu.
@@ -594,28 +642,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -632,7 +686,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
+This policy controls the visibility of the Settings shortcut on the Start menu.
@@ -653,28 +707,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -691,7 +751,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
+This policy controls the visibility of the Videos shortcut on the Start menu.
@@ -712,28 +772,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -785,28 +851,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -852,28 +924,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -927,28 +1005,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -965,7 +1049,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
+Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
@@ -992,28 +1076,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1034,7 +1124,7 @@ To validate on Desktop, do the following:
> [!NOTE]
> This policy requires reboot to take effect.
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
+Allows IT Admins to configure Start by hiding most used apps.
@@ -1065,28 +1155,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1103,7 +1199,7 @@ To validate on Desktop, do the following:
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
+Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
> [!NOTE]
@@ -1134,28 +1230,34 @@ To validate on Laptop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1172,7 +1274,7 @@ To validate on Laptop, do the following:
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
+Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
@@ -1199,28 +1301,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1237,7 +1345,7 @@ To validate on Desktop, do the following:
-Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
+Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
Value type is integer.
@@ -1267,28 +1375,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1308,7 +1422,7 @@ The following list shows the supported values:
> [!NOTE]
> This policy requires reboot to take effect.
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
+Allows IT Admins to configure Start by hiding the Power button from appearing.
@@ -1335,28 +1449,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1376,7 +1496,7 @@ To validate on Desktop, do the following:
> [!NOTE]
> This policy requires reboot to take effect.
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing.
+Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing.
@@ -1410,28 +1530,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1452,7 +1578,7 @@ To validate on Desktop, do the following:
> [!NOTE]
> This policy requires reboot to take effect.
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
+Allows IT Admins to configure Start by hiding recently added apps.
@@ -1491,28 +1617,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1529,7 +1661,7 @@ To validate on Desktop, do the following:
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
+Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
@@ -1556,28 +1688,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1594,7 +1732,7 @@ To validate on Desktop, do the following:
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
+Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
@@ -1621,28 +1759,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1659,7 +1803,7 @@ To validate on Desktop, do the following:
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
+Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
@@ -1686,28 +1830,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1724,7 +1874,7 @@ To validate on Desktop, do the following:
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
+Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
@@ -1751,28 +1901,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1789,7 +1945,7 @@ To validate on Desktop, do the following:
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
+Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
@@ -1816,28 +1972,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1857,7 +2019,7 @@ To validate on Desktop, do the following:
> [!NOTE]
> This policy requires reboot to take effect.
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
+Allows IT Admins to configure Start by hiding the user tile.
@@ -1885,28 +2047,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1934,7 +2102,7 @@ Here is additional SKU support information:
|Windows 10, version 1703 and later |Enterprise, Education, Business |
|Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation |
-Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
+This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
> [!IMPORTANT]
> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
@@ -1961,28 +2129,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1999,7 +2173,7 @@ To validate on Desktop, do the following:
-Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
+Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
@@ -2029,28 +2203,34 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
@@ -2069,7 +2249,7 @@ To validate on Desktop, do the following:
> [!IMPORTANT]
-> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)
+> In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)
Here is additional SKU support information:
@@ -2095,15 +2275,4 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index ecd7532d32..d470d7977b 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - Storage
-
@@ -60,28 +59,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -98,7 +103,7 @@ manager: dansimp
-Added in Windows 10, version 1709. Allows disk health model updates.
+Allows disk health model updates.
Value type is integer.
@@ -128,28 +133,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
+
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -201,28 +212,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
+
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -277,28 +294,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
+
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -353,28 +376,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
+
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -429,28 +458,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
+
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -511,28 +546,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
+
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -587,28 +628,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -657,28 +704,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -729,15 +782,5 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index b033f662cc..04cccacbb5 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -114,24 +114,29 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -182,24 +187,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
611
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -294,24 +304,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
511
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -363,24 +378,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -419,24 +439,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -480,24 +505,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
211
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -514,7 +544,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts.
+Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts.
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
@@ -555,24 +585,29 @@ To verify if System/AllowFontProviders is set to true:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -647,24 +682,29 @@ If you disable this policy setting, devices may not appear in Microsoft Managed
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -703,24 +743,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -839,24 +884,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
611
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -913,24 +963,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1000,24 +1055,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1072,24 +1132,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
11
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -1142,24 +1207,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
411
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1205,24 +1275,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
11
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1273,24 +1348,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
511
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -1340,24 +1420,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
511
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -1407,24 +1492,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
311
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1463,24 +1553,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
211
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1497,7 +1592,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
+Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
* Users cannot access OneDrive from the OneDrive app or file picker.
* Microsoft Store apps cannot access OneDrive using the WinRT API.
@@ -1541,24 +1636,29 @@ To validate on Desktop, do the following:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1613,24 +1713,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
4
+
Yes
+
Yes
Pro
-
411
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1647,7 +1752,7 @@ ADMX Info:
-Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations.
+When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations.
@@ -1667,24 +1772,29 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
311
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1743,24 +1853,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
11
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1801,24 +1916,29 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
611
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1865,18 +1985,4 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-- 9 - Available in Windows 10, version 20H2.
-- 10 - Available in Windows 10, version 21H1.
-- 11 - Also applies to Windows 10 Business.
-
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 1e4e35d190..016911d154 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -51,28 +51,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -89,7 +95,7 @@ manager: dansimp
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -108,28 +114,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -146,7 +158,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -165,28 +177,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -203,7 +221,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -222,28 +240,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -260,7 +284,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -279,28 +303,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -317,7 +347,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -336,28 +366,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -374,7 +410,7 @@ GP Info:
-Added in Windows 10, version 1803. This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
@@ -386,16 +422,6 @@ GP Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index ce84398393..2ad2b1c6d6 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -35,28 +35,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -95,16 +101,6 @@ When the policy is set to 0 - users CANNOT execute 'End task' on processes in Ta
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index ab6ec4d46c..b76c0948ac 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -74,21 +80,11 @@ manager: dansimp
-Added in Windows 10, version 1803. This setting determines whether the specific task is enabled (1) or disabled (0). Default: Disabled.
+This setting determines whether the specific task is enabled (1) or disabled (0). Default: Disabled.
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 444e70c323..77bf576304 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -123,7 +123,7 @@ manager: dansimp
-Added in Windows 10, version 1803. Placeholder only. Do not use in production environment.
+Placeholder only. Do not use in production environment.
@@ -136,28 +136,34 @@ Added in Windows 10, version 1803. Placeholder only. Do not use in production e
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -200,28 +206,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -262,28 +274,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -326,28 +344,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -391,28 +415,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -455,28 +485,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -519,28 +555,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -583,28 +625,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -624,7 +672,7 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
+Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
Most restricted value is 0.
@@ -667,28 +715,34 @@ This policy has been deprecated.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -739,28 +793,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -802,28 +862,34 @@ This setting supports a range of values between 0 and 1.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
8
+
Yes
+
Yes
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
@@ -844,7 +910,7 @@ This setting supports a range of values between 0 and 1.
> - The policy is only enforced in Windows 10 for desktop.
> - This policy requires reboot to take effect.
-Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Japanese IME version in the desktop.
+Allows IT admins to configure Microsoft Japanese IME version in the desktop.
@@ -865,28 +931,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
8
+
Yes
+
Yes
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
@@ -907,7 +979,7 @@ The following list shows the supported values:
> - This policy is enforced only in Windows 10 for desktop.
> - This policy requires reboot to take effect.
-Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop.
+Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop.
@@ -928,28 +1000,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
8
+
Yes
+
Yes
Business
-
8
+
Yes
+
Yes
Enterprise
-
8
+
Yes
+
Yes
Education
-
8
+
Yes
+
Yes
@@ -969,8 +1047,7 @@ The following list shows the supported values:
> [!NOTE]
> - This policy is enforced only in Windows 10 for desktop.
> - This policy requires reboot to take effect.
-
-Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop.
+Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop.
@@ -991,28 +1068,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1029,7 +1112,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
+This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up.
But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard.
@@ -1055,28 +1138,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1117,28 +1206,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1179,28 +1274,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1241,28 +1342,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1279,7 +1386,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked.
+Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked.
@@ -1300,28 +1407,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1338,7 +1451,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled.
+Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled.
@@ -1359,28 +1472,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1397,7 +1516,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled.
+Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled.
@@ -1418,28 +1537,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1456,7 +1581,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled.
+Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled.
@@ -1477,28 +1602,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1515,7 +1646,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled.
+Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled.
@@ -1536,28 +1667,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1574,7 +1711,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled.
+Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled.
@@ -1595,28 +1732,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1633,7 +1776,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled.
+Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled.
@@ -1654,28 +1797,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1692,7 +1841,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled.
+Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled.
@@ -1706,16 +1855,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 8ef9349148..9d490b2202 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 09/28/2021
ms.reviewer:
manager: dansimp
---
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -76,6 +82,9 @@ manager: dansimp
Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone.
+> [!TIP]
+> To get the list of available time zones, run `Get-TimeZone -ListAvailable` in PowerShell.
+
@@ -89,16 +98,5 @@ Specifies the time zone to be applied to the device. This is the standard Window
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 6c74dd7725..41deff6293 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -34,28 +34,34 @@ ms.date: 09/27/2019
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -138,16 +144,5 @@ By default, this policy is not configured and the SKU based defaults are used fo
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 1fe9517d3d..c38caf5830 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -198,6 +198,9 @@ manager: dansimp
@@ -259,7 +268,7 @@ manager: dansimp
-Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
@@ -288,28 +297,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -326,7 +341,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
Supported values are 8-18.
@@ -352,28 +367,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -390,7 +411,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
@@ -419,28 +440,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -499,28 +526,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -537,7 +570,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.
+Option to download updates automatically over metered connections (off by default). Value type is integer.
A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
@@ -569,28 +602,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -607,7 +646,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
@@ -636,28 +675,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -698,28 +743,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -771,28 +822,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -847,28 +904,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -923,28 +986,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -961,7 +1030,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+Allows the IT Admin to specify the period for auto-restart reminder notifications.
The default value is 15 (minutes).
@@ -989,28 +1058,34 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1027,7 +1102,7 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
+Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
@@ -1056,28 +1131,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1132,28 +1213,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1170,7 +1257,7 @@ Supported values:
-Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.
+Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.
@@ -1202,28 +1289,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1241,7 +1334,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
+Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
ADMX Info:
@@ -1273,28 +1366,34 @@ Default value is 7.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1312,7 +1411,7 @@ Default value is 7.
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
+Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
ADMX Info:
@@ -1344,28 +1443,34 @@ Default value is 7.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1383,7 +1488,7 @@ Default value is 7.
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
+Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
@@ -1416,28 +1521,34 @@ Default value is 2.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -1455,7 +1566,7 @@ Default value is 2.
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
+If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
@@ -1489,28 +1600,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1527,7 +1644,7 @@ Supported values:
-Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
+Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
@@ -1540,28 +1657,34 @@ Added in Windows 10, version 1803. Enable IT admin to configure feature update u
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1580,7 +1703,7 @@ Added in Windows 10, version 1803. Enable IT admin to configure feature update u
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+Defers Feature Updates for the specified number of days.
Supported values are 0-365 days.
@@ -1607,28 +1730,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1645,7 +1774,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+Defers Quality Updates for the specified number of days.
Supported values are 0-30.
@@ -1669,28 +1798,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1816,28 +1951,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -1886,28 +2027,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -1924,7 +2071,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
+Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
@@ -1946,28 +2093,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1984,11 +2137,11 @@ ADMX Info:
-Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
+Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607).
-This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
+This is the same as the Group Policy in Windows Components > Windows Update "Do not allow update deferral policies to cause scans against Windows Update."
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -2018,28 +2171,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -2097,28 +2256,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -2175,28 +2340,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -2248,28 +2419,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -2319,28 +2496,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -2390,28 +2573,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -2461,28 +2650,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -2532,28 +2727,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2573,7 +2774,7 @@ ADMX Info:
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+Allows IT Admins to exclude Windows Update (WU) drivers during updates.
@@ -2601,28 +2802,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -2639,7 +2846,7 @@ The following list shows the supported values:
-Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
+Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
> [!NOTE]
> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
@@ -2671,28 +2878,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -2709,7 +2922,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
@@ -2742,28 +2955,34 @@ To validate this policy:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -2780,7 +2999,7 @@ To validate this policy:
-Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
@@ -2813,28 +3032,34 @@ To validate this policy:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -2851,7 +3076,7 @@ To validate this policy:
-Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer.
+Used to manage Windows 10 Insider Preview builds. Value type is integer.
@@ -2881,28 +3106,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -2955,28 +3186,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -2996,7 +3233,7 @@ The following list shows the supported values:
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-Added in Windows 10, version 1607. Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later.
+Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later.
@@ -3025,28 +3262,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -3063,7 +3306,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
+Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
@@ -3087,28 +3330,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -3125,7 +3374,7 @@ ADMX Info:
-Added in Windows 10, version 1607. Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead.
+Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead.
@@ -3154,28 +3403,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -3192,7 +3447,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
+Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
@@ -3227,28 +3482,34 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
@@ -3296,28 +3557,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
No
Business
-
+
Yes
+
No
Enterprise
-
+
Yes
+
No
Education
-
+
Yes
+
No
@@ -3360,28 +3627,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -3398,7 +3671,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
The default value is 15 (minutes).
@@ -3426,28 +3699,34 @@ Supported values are 15, 30, or 60 (minutes).
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -3468,7 +3747,7 @@ Supported values are 15, 30, or 60 (minutes).
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
+Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
The default value is 4 (hours).
@@ -3496,28 +3775,34 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3573,28 +3858,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -3611,7 +3902,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
+Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every week
@@ -3637,28 +3928,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -3675,7 +3972,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
+Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every first week of the month
@@ -3701,28 +3998,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -3739,7 +4042,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
+Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every fourth week of the month
@@ -3765,28 +4068,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -3803,7 +4112,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
+Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every second week of the month
@@ -3829,28 +4138,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -3867,7 +4182,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
+Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every third week of the month
@@ -3893,28 +4208,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -3965,28 +4286,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -4003,7 +4330,7 @@ ADMX Info:
-Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
+Allows the IT Admin to disable auto-restart notifications for update installations.
@@ -4032,28 +4359,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -4091,28 +4424,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -4150,28 +4489,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -4188,7 +4533,7 @@ ADMX Info:
-Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
+For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart.
@@ -4219,28 +4564,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4284,34 +4635,120 @@ The following list shows the supported values:
+
+**Update/TargetProductVersion**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
Yes
+
Yes
+
+
+
Business
+
Yes
+
Yes
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product.
+
+If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information).
+
+
+
+ADMX Info:
+- GP Friendly name: *Select the target Feature Update version*
+- GP name: *TargetProductVersion*
+- GP element: *TargetProductVersionId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”.
+
+
+
+
+
+
+
+
+By using this Windows Update for Business policy to upgrade devices to a new product (ex. Windows 11) you are agreeing that when applying this operating system to a device either
+(1) The applicable Windows license was purchased though volume licensing, or
+(2) That you are authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms).
+
+
+
**Update/TargetReleaseVersion**
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -4358,28 +4795,34 @@ Value type is a string containing Windows 10 version number. For example, 1809,
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -4435,28 +4878,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -4527,28 +4976,34 @@ Example
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -4565,7 +5020,7 @@ Example
-Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
@@ -4591,15 +5046,4 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
-1`
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 7ac5e6f283..be84a95bca 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 11/11/2021
ms.reviewer:
manager: dansimp
---
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - UserRights
-
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
@@ -200,28 +199,34 @@ For example, the following syntax grants user rights to a specific user or group
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -257,28 +262,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -316,28 +327,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -375,28 +392,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -434,28 +457,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -493,28 +522,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -550,28 +585,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -609,28 +650,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -666,28 +713,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -723,28 +776,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -784,28 +843,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -843,28 +908,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -902,28 +973,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -959,28 +1036,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -997,9 +1080,10 @@ GP Info:
-This security setting determines which service accounts are prevented from registering a process as a service.
+This security setting determines which users are prevented from logging on to the computer. This policy setting supersedes the **Allow log on locally** policy setting if an account is subject to both policies.
+
> [!NOTE]
-> This security setting does not apply to the System, Local Service, or Network Service accounts.
+> If you apply this security policy to the **Everyone** group, no one will be able to log on locally.
@@ -1018,28 +1102,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1075,28 +1165,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1134,28 +1230,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1191,28 +1293,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1258,28 +1366,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1320,28 +1434,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1379,28 +1499,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1436,28 +1562,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1493,28 +1625,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1550,28 +1688,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1609,28 +1753,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1666,28 +1816,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1723,28 +1879,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1780,28 +1942,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1839,28 +2007,34 @@ GP Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -1891,14 +2065,4 @@ GP Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 0db9332538..77728974a0 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - Wifi
-
@@ -67,28 +66,34 @@ This policy has been deprecated.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -135,28 +140,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -203,28 +214,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -266,28 +283,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -326,28 +349,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -364,7 +393,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Allow WiFi Direct connection..
+Allow WiFi Direct connection..
@@ -384,28 +413,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -434,16 +469,6 @@ Supported operations are Add, Delete, Get, and Replace.
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index 9af69e0c2b..a5e847a460 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -107,16 +113,6 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 10c2f369a9..1236c6edd8 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -98,28 +98,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -136,7 +142,7 @@ manager: dansimp
-Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
+The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
Value type is string. Supported operations are Add, Get, Replace and Delete.
@@ -160,28 +166,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
4
+
Yes
+
Yes
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -198,7 +210,7 @@ ADMX Info:
-Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
@@ -226,28 +238,34 @@ Valid values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -264,7 +282,7 @@ Valid values:
-Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@@ -294,28 +312,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -376,28 +400,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
4
+
Yes
+
Yes
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -414,7 +444,7 @@ ADMX Info:
-Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
@@ -442,28 +472,34 @@ Valid values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -480,7 +516,7 @@ Valid values:
-Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
+Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
> [!NOTE]
> If Suppress notification is enabled then users will not see critical or non-critical messages.
@@ -513,28 +549,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -551,7 +593,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@@ -581,28 +623,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -619,7 +667,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@@ -649,28 +697,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -687,7 +741,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@@ -717,28 +771,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -755,7 +815,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
+Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@@ -785,28 +845,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -867,28 +933,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -905,7 +977,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@@ -935,28 +1007,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -973,7 +1051,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
+Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@@ -1003,28 +1081,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1041,7 +1125,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
Value type is string. Supported operations are Add, Get, Replace and Delete.
@@ -1065,28 +1149,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1103,7 +1193,7 @@ ADMX Info:
-Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
+Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -1133,28 +1223,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1171,7 +1267,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
+Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -1201,28 +1297,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
4
+
Yes
+
Yes
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1239,7 +1341,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center.
+Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center.
@@ -1267,28 +1369,34 @@ Valid values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
4
+
Yes
+
Yes
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1305,7 +1413,7 @@ Valid values:
-Added in Windows 10, version 1803. Use this policy to hide the Secure boot area in the Windows Defender Security Center.
+Use this policy to hide the Secure boot area in the Windows Defender Security Center.
@@ -1333,28 +1441,34 @@ Valid values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
4
+
Yes
+
Yes
Pro
-
4
+
Yes
+
Yes
Business
-
4
+
Yes
+
Yes
Enterprise
-
4
+
Yes
+
Yes
Education
-
4
+
Yes
+
Yes
@@ -1371,7 +1485,7 @@ Valid values:
-Added in Windows 10, version 1803. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
+Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
@@ -1399,28 +1513,34 @@ Valid values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
5
+
Yes
+
Yes
Pro
-
5
+
Yes
+
Yes
Business
-
5
+
Yes
+
Yes
Enterprise
-
5
+
Yes
+
Yes
Education
-
5
+
Yes
+
Yes
@@ -1483,28 +1603,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1521,7 +1647,7 @@ ADMX Info:
-Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
@@ -1545,28 +1671,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
3
+
Yes
+
Yes
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -1583,7 +1715,7 @@ ADMX Info:
-Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
+The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
@@ -1600,16 +1732,4 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
-
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index b352b0818c..f463131d83 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - WindowsInkWorkspace
-
@@ -39,28 +38,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -77,7 +82,7 @@ manager: dansimp
-Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
+Show recommended app suggestions in the ink workspace.
@@ -105,28 +110,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -143,7 +154,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
+Specifies whether to allow the user to access the ink workspace.
@@ -166,16 +177,5 @@ Value type is int. The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 4d822efc0c..94a49ce87c 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -45,6 +45,13 @@ manager: dansimp
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
@@ -54,28 +61,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
6
+
Yes
+
Yes
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -105,12 +118,6 @@ After enabling this policy, you can configure its settings through the [ConfigAu
If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -139,28 +146,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
6
+
Yes
+
Yes
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -190,12 +203,6 @@ BitLocker is suspended during updates if:
If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -224,28 +231,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -269,12 +282,6 @@ If you enable this policy setting, no app notifications are displayed on the loc
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -294,28 +301,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -364,12 +377,6 @@ Here is an example to enable this policy:
```
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -389,28 +396,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
Yes
+
Yes
Pro
-
6
+
Yes
+
Yes
Business
-
6
+
Yes
+
Yes
Enterprise
-
6
+
Yes
+
Yes
Education
-
6
+
Yes
+
Yes
@@ -468,28 +481,34 @@ Supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -513,12 +532,6 @@ If you enable this policy setting, Logon UI will enumerate all local users on do
If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -538,28 +551,34 @@ ADMX Info:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -576,7 +595,7 @@ ADMX Info:
-Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
+This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
@@ -604,16 +623,5 @@ To validate on Desktop, do the following:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index 3cf0a24d74..a67752e251 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -36,28 +36,34 @@ manager: dansimp
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
Yes
+
Yes
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -104,16 +110,6 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index e1e54793b4..f3fd70ab14 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -12,9 +12,6 @@ ms.date: 10/14/2020
# Policy CSP - WindowsSandbox
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
@@ -53,28 +50,34 @@ Available in the latest Windows 10 insider preview build.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -141,28 +144,34 @@ Available in the latest Windows 10 insider preview build.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -226,28 +235,34 @@ Available in the latest Windows 10 insider preview build.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -309,28 +324,34 @@ Available in the latest Windows 10 insider preview build.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -393,28 +414,34 @@ Available in the latest Windows 10 insider preview build.
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
+
Yes
+
Yes
Business
-
+
No
+
No
Enterprise
-
+
Yes
+
Yes
Education
-
+
Yes
+
Yes
@@ -480,28 +507,34 @@ Available in the latest Windows 10 insider preview build.
@@ -93,7 +99,7 @@ manager: dansimp
-Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement.
+This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement.
@@ -113,28 +119,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
3
+
Yes
+
Yes
Business
-
3
+
Yes
+
Yes
Enterprise
-
3
+
Yes
+
Yes
Education
-
3
+
Yes
+
Yes
@@ -151,7 +163,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery.
+This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery.
@@ -171,28 +183,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -209,7 +227,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
+This policy allows you to turn off projection from a PC.
@@ -229,28 +247,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -267,7 +291,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
+This policy allows you to turn off projection from a PC over infrastructure.
@@ -287,28 +311,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -325,7 +355,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
+Allow or disallow turning off the projection to a PC.
If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
@@ -357,28 +387,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -395,7 +431,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
+This policy setting allows you to turn off projection to a PC over infrastructure.
@@ -415,28 +451,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
2
+
Yes
+
Yes
Business
-
2
+
Yes
+
Yes
Enterprise
-
2
+
Yes
+
Yes
Education
-
2
+
Yes
+
Yes
@@ -453,7 +495,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device.
+Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device.
@@ -473,28 +515,34 @@ The following list shows the supported values:
-
Windows Edition
-
Supported?
+
Edition
+
Windows 10
+
Windows 11
Home
-
+
No
+
No
Pro
-
1
+
Yes
+
Yes
Business
-
1
+
Yes
+
Yes
Enterprise
-
1
+
Yes
+
Yes
Education
-
1
+
Yes
+
Yes
@@ -511,7 +559,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
+Allow or disallow requirement for a PIN for pairing.
If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
@@ -536,16 +584,5 @@ The following list shows the supported values:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index e2d40a822a..1b7b94e690 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -19,15 +19,56 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W
> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
-The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
+The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
-
+```console
+PXLOGICAL
+----DOMAIN
+----NAME
+----PORT
+-------PORTNBR
+-------SERVICE
+----PUSHENABLED
+----PROXY-ID
+----TRUST
+----PXPHYSICAL
+-------DOMAIN
+-------PHYSICAL-PROXY-ID
+-------PORT
+---------PORTNBR
+---------SERVICE
+-------PUSHENABLED
+-------PXADDR
+-------PXADDRTYPE
+-------TO-NAPID
+```
-The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
-
+The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
+
+```console
+PXLOGICAL
+--PROXY-ID
+----DOMAIN
+----NAME
+----PORT
+-------PORTNBR
+-------SERVICE
+----PUSHENABLED
+----TRUST
+----PXPHYSICAL
+-------PHYSICAL-PROXY-ID
+----------DOMAIN
+----------PORT
+-------------PORTNBR
+-------------SERVICE
+----------PUSHENABLED
+----------PXADDR
+----------PXADDRTYPE
+----------TO-NAPID
+```
+
**PXPHYSICAL**
Defines a group of logical proxy settings.
@@ -37,7 +78,7 @@ The element's mwid attribute is a Microsoft provisioning XML attribute, and is o
**DOMAIN**
Specifies the domain associated with the proxy (for example, "\*.com").
-A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon delimited string of all domains associated with the proxy.
+A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy.
**NAME**
Specifies the name of the logical proxy.
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 4ffdbad557..fbc7a1ec31 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -23,9 +23,13 @@ The SecurityPolicy configuration service provider is used to configure security
For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
+The following shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
-
+```console
+./Vendor/MSFT
+SecurityPolicy
+----PolicyID
+```
***PolicyID***
Defines the security policy identifier as a decimal value.
@@ -48,7 +52,7 @@ The following security policies are supported.
4104
-
Hex:1008
+
Hex: 1008
TPS Policy
This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.
Default value: 1
@@ -58,7 +62,7 @@ The following security policies are supported.
4105
-
Hex:1009
+
Hex: 1009
Message Authentication Retry Policy
This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.
Default value: 3
@@ -66,7 +70,7 @@ The following security policies are supported.
4108
-
Hex:100c
+
Hex: 100c
Service Loading Policy
This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.
The data type is boolean. Supported operation is Get and Replace.
**InBoxApps/Welcome/CurrentBackgroundPath**
-
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
+
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace.
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 9d8ff38c27..7a1fa1b52f 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -48,6 +48,8 @@ items:
href: device-update-management.md
- name: Bulk enrollment
href: bulk-enrollment-using-windows-provisioning-tool.md
+ - name: Secured-Core PC Configuration Lock
+ href: config-lock.md
- name: Management tool for the Microsoft Store for Business
href: management-tool-for-windows-store-for-business.md
items:
@@ -80,8 +82,6 @@ items:
href: bulk-assign-and-reclaim-seats-from-user.md
- name: Get seats assigned to a user
href: get-seats-assigned-to-a-user.md
- - name: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
- href: enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
- name: Certificate renewal
href: certificate-renewal-windows-mdm.md
- name: Disconnecting from the management infrastructure (unenrollment)
@@ -149,8 +149,6 @@ items:
items:
- name: BitLocker DDF file
href: bitlocker-ddf-file.md
- - name: BOOTSTRAP CSP
- href: bootstrap-csp.md
- name: BrowserFavorite CSP
href: browserfavorite-csp.md
- name: CellularSettings CSP
@@ -172,8 +170,6 @@ items:
href: clientcertificateinstall-ddf-file.md
- name: CM_CellularEntries CSP
href: cm-cellularentries-csp.md
- - name: CM_ProxyEntries CSP
- href: cm-proxyentries-csp.md
- name: CMPolicy CSP
href: cmpolicy-csp.md
- name: CMPolicyEnterprise CSP
@@ -201,8 +197,6 @@ items:
items:
- name: DeveloperSetup DDF
href: developersetup-ddf.md
- - name: DeviceInstanceService CSP
- href: deviceinstanceservice-csp.md
- name: DeviceLock CSP
href: devicelock-csp.md
items:
@@ -407,6 +401,8 @@ items:
href: policy-csp-admx-activexinstallservice.md
- name: ADMX_AddRemovePrograms
href: policy-csp-admx-addremoveprograms.md
+ - name: ADMX_AdmPwd
+ href: policy-csp-admx-admpwd.md
- name: ADMX_AppCompat
href: policy-csp-admx-appcompat.md
- name: ADMX_AppxPackageManager
@@ -455,6 +451,8 @@ items:
href: policy-csp-admx-dfs.md
- name: ADMX_DigitalLocker
href: policy-csp-admx-digitallocker.md
+ - name: ADMX_DiskDiagnostic
+ href: policy-csp-admx-diskdiagnostic.md
- name: ADMX_DistributedLinkTracking
href: policy-csp-admx-distributedlinktracking.md
- name: ADMX_DnsClient
@@ -480,7 +478,7 @@ items:
- name: ADMX_Explorer
href: policy-csp-admx-explorer.md
- name: ADMX_ExternalBoot
- href: policy-csp-admx-externalboot.md
+ href: policy-csp-admx-externalboot.md
- name: ADMX_FileRecovery
href: policy-csp-admx-filerecovery.md
- name: ADMX_FileRevocation
@@ -503,10 +501,14 @@ items:
href: policy-csp-admx-help.md
- name: ADMX_HelpAndSupport
href: policy-csp-admx-helpandsupport.md
+ - name: ADMX_HotSpotAuth
+ href: policy-csp-admx-hotspotauth.md
- name: ADMX_ICM
href: policy-csp-admx-icm.md
- name: ADMX_IIS
- href: policy-csp-admx-iis.md
+ href: policy-csp-admx-iis.md
+ - name: ADMX_iSCSI
+ href: policy-csp-admx-iscsi.md
- name: ADMX_kdc
href: policy-csp-admx-kdc.md
- name: ADMX_Kerberos
@@ -519,6 +521,8 @@ items:
href: policy-csp-admx-leakdiagnostic.md
- name: ADMX_LinkLayerTopologyDiscovery
href: policy-csp-admx-linklayertopologydiscovery.md
+ - name: ADMX_LocationProviderAdm
+ href: policy-csp-admx-locationprovideradm.md
- name: ADMX_Logon
href: policy-csp-admx-logon.md
- name: ADMX_MicrosoftDefenderAntivirus
@@ -527,6 +531,10 @@ items:
href: policy-csp-admx-mmc.md
- name: ADMX_MMCSnapins
href: policy-csp-admx-mmcsnapins.md
+ - name: ADMX_MobilePCMobilityCenter
+ href: policy-csp-admx-mobilepcmobilitycenter.md
+ - name: ADMX_MobilePCPresentationSettings
+ href: policy-csp-admx-mobilepcpresentationsettings.md
- name: ADMX_MSAPolicy
href: policy-csp-admx-msapolicy.md
- name: ADMX_msched
@@ -535,6 +543,8 @@ items:
href: policy-csp-admx-msdt.md
- name: ADMX_MSI
href: policy-csp-admx-msi.md
+ - name: ADMX_MsiFileRecovery
+ href: policy-csp-admx-msifilerecovery.md
- name: ADMX_nca
href: policy-csp-admx-nca.md
- name: ADMX_NCSI
@@ -545,14 +555,20 @@ items:
href: policy-csp-admx-networkconnections.md
- name: ADMX_OfflineFiles
href: policy-csp-admx-offlinefiles.md
+ - name: ADMX_pca
+ href: policy-csp-admx-pca.md
- name: ADMX_PeerToPeerCaching
href: policy-csp-admx-peertopeercaching.md
+ - name: ADMX_PenTraining
+ href: policy-csp-admx-pentraining.md
- name: ADMX_PerformanceDiagnostics
href: policy-csp-admx-performancediagnostics.md
- name: ADMX_Power
href: policy-csp-admx-power.md
- name: ADMX_PowerShellExecutionPolicy
href: policy-csp-admx-powershellexecutionpolicy.md
+ - name: ADMX_PreviousVersions
+ href: policy-csp-admx-previousversions.md
- name: ADMX_Printing
href: policy-csp-admx-printing.md
- name: ADMX_Printing2
@@ -571,10 +587,14 @@ items:
href: policy-csp-admx-scripts.md
- name: ADMX_sdiageng
href: policy-csp-admx-sdiageng.md
+ - name: ADMX_sdiagschd
+ href: policy-csp-admx-sdiagschd.md
- name: ADMX_Securitycenter
href: policy-csp-admx-securitycenter.md
- name: ADMX_Sensors
href: policy-csp-admx-sensors.md
+ - name: ADMX_ServerManager
+ href: policy-csp-admx-servermanager.md
- name: ADMX_Servicing
href: policy-csp-admx-servicing.md
- name: ADMX_SettingSync
@@ -584,9 +604,7 @@ items:
- name: ADMX_Sharing
href: policy-csp-admx-sharing.md
- name: ADMX_ShellCommandPromptRegEditTools
- href: policy-csp-admx-shellcommandpromptregedittools.md
- - name: ADMX_SkyDrive
- href: policy-csp-admx-skydrive.md
+ href: policy-csp-admx-shellcommandpromptregedittools.md
- name: ADMX_Smartcard
href: policy-csp-admx-smartcard.md
- name: ADMX_Snmp
@@ -595,12 +613,18 @@ items:
href: policy-csp-admx-startmenu.md
- name: ADMX_SystemRestore
href: policy-csp-admx-systemrestore.md
+ - name: ADMX_TabletShell
+ href: policy-csp-admx-tabletshell.md
- name: ADMX_Taskbar
href: policy-csp-admx-taskbar.md
- name: ADMX_tcpip
href: policy-csp-admx-tcpip.md
+ - name: ADMX_TerminalServer
+ href: policy-csp-admx-terminalserver.md
- name: ADMX_Thumbnails
href: policy-csp-admx-thumbnails.md
+ - name: ADMX_TouchInput
+ href: policy-csp-admx-touchinput.md
- name: ADMX_TPM
href: policy-csp-admx-tpm.md
- name: ADMX_UserExperienceVirtualization
@@ -611,16 +635,14 @@ items:
href: policy-csp-admx-w32time.md
- name: ADMX_WCM
href: policy-csp-admx-wcm.md
+ - name: ADMX_WDI
+ href: policy-csp-admx-wdi.md
- name: ADMX_WinCal
href: policy-csp-admx-wincal.md
- - name: ADMX_WindowsAnytimeUpgrade
- href: policy-csp-admx-windowsanytimeupgrade.md
- name: ADMX_WindowsConnectNow
href: policy-csp-admx-windowsconnectnow.md
- name: ADMX_WindowsExplorer
href: policy-csp-admx-windowsexplorer.md
- - name: ADMX_WindowsFileProtection
- href: policy-csp-admx-windowsfileprotection.md
- name: ADMX_WindowsMediaDRM
href: policy-csp-admx-windowsmediadrm.md
- name: ADMX_WindowsMediaPlayer
@@ -637,6 +659,10 @@ items:
href: policy-csp-admx-winsrv.md
- name: ADMX_wlansvc
href: policy-csp-admx-wlansvc.md
+ - name: ADMX_WordWheel
+ href: policy-csp-admx-wordwheel.md
+ - name: ADMX_WorkFoldersClient
+ href: policy-csp-admx-workfoldersclient.md
- name: ADMX_WPN
href: policy-csp-admx-wpn.md
- name: ApplicationDefaults
@@ -713,6 +739,8 @@ items:
href: policy-csp-experience.md
- name: ExploitGuard
href: policy-csp-exploitguard.md
+ - name: Feeds
+ href: policy-csp-feeds.md
- name: FileExplorer
href: policy-csp-fileexplorer.md
- name: Games
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 4550b1717b..a0be6b4e19 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -19,7 +19,7 @@ Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy confi
## Background
-In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)).
+In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Windows Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)).
ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC.
Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor:
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 42a6882673..80121f22ea 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -23,7 +23,7 @@ The VPN configuration service provider allows the MDM server to configure the VP
Important considerations:
-- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN.
+- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is critical for forced tunnel VPN.
- VPN configuration commands must be wrapped with an Atomic command as shown in the example below.
@@ -31,9 +31,61 @@ Important considerations:
- For the VPN CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the VPN configuration service provider in tree format.
+The following shows the VPN configuration service provider in tree format.
-
+```console
+./Vendor/MSFT
+VPN
+-----ProfileName
+---------Server
+---------TunnelType
+---------ThirdParty
+-------------Name
+-------------AppID
+-------------CustomStoreURL
+-------------CustomConfiguration
+---------RoleGroup
+---------Authentication
+-------------Method
+-------------Certificate
+---------------Issuer
+---------------EKU
+---------------CacheLifeTimeProtectedCert
+-------------MultiAuth
+---------------StartURL
+---------------EndURL
+-------------EAP
+---------Proxy
+-------------Automatic
+-------------Manual
+---------------Server
+---------------Port
+-------------BypassProxyforLocal
+---------SecuredResources
+-------------AppPublisherNameList
+---------------AppPublisherName
+-------------AppAllowedList
+---------------AppAllowedList
+-------------NetworkAllowedList
+---------------NetworkAllowedList
+-------------NameSapceAllowedList
+---------------NameSapceAllowedList
+-------------ExcudedAppList
+---------------ExcudedAppList
+-------------ExcludedNetworkList
+---------------ExcludedNetworkList
+-------------ExcludedNameSpaceList
+---------------ExcludedNameSpaceList
+-------------DNSSuffixSearchList
+---------------DNSSuffixSearchList
+---------Policies
+-------------RememberCredentials
+-------------SplitTunnel
+-------------BypassforLocal
+-------------TrustedNetworkDetection
+-------------ConnectionType
+---------DNSSuffix
+```
***ProfileName***
Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
@@ -48,12 +100,12 @@ Supported operations are Get, Add, and Replace.
Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com.
**TunnelType**
-Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
+Optional, but required when deploying a third-party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Value type is chr. Supported operations are Get and Add.
**ThirdParty**
-Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
+Optional, but required if deploying third-party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Supported operations are Get and Add.
@@ -73,17 +125,17 @@ Valid values:
- Checkpoint Mobile VPN
**ThirdParty/AppID**
-Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
+Optional, but required when deploying a third-party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
**ThirdParty/CustomStoreURL**
-Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app.
+Optional, but required if an enterprise is deploying a third-party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the third-party SSL-VPN plugin app.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
**ThirdParty/CustomConfiguration**
-Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
+Optional. This is an HTML encoded XML blob for SSL-VPN plugin-specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Value type is char. Supported operations are Get, Add, Replace, and Delete.
@@ -98,7 +150,7 @@ Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a col
Supported operations are Get and Add.
**Authentication/Method**
-Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
+Required for IKEv2 profiles and optional for third-party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Supported operations are Get and Add.
@@ -114,7 +166,7 @@ Optional node. A collection of nodes that enables simpler authentication experie
Supported operations are Get and Add.
**Authentication/Certificate/Issuer**
-Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering.
+Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used with EKU for more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@@ -123,7 +175,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.
**Authentication/Certificate/EKU**
-Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering.
+Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this with ISSUER for a more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@@ -175,16 +227,16 @@ Default is False.
Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported..
**SecuredResources/AppAllowedList/AppAllowedList**
-Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps.
+Optional. Specifies one or more ProductIDs for the enterprise line-of-business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is autotriggered, VPN is triggered automatically by these apps.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace, and Delete.
Value type is chr.
Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u.
**SecuredResources/NetworkAllowedList/NetworkAllowedList**
-Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks.
+Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is autotriggered, the VPN is triggered automatically by these protected networks.
Supported operations are Get, Add, Replace, and Delete.
@@ -202,7 +254,7 @@ Value type is chr.
An example is \*.corp.contoso.com.
**SecuredResources/ExcluddedAppList/ExcludedAppList**
-Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
+Optional. Specifies one or more ProductIDs for enterprise line-of-business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Supported operations are Get, Add, Replace, and Delete.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 1fed240483..87588a2a0e 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 10/30/2020
+ms.date: 09/21/2021
---
# VPNv2 CSP
@@ -591,7 +591,7 @@ Valid values:
- True = Register the connection's addresses in DNS.
**VPNv2/**ProfileName**/DnsSuffix**
-Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index e7321b1888..de649eb77b 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -21,11 +21,17 @@ The default security roles are defined in the root characteristic, and map to ea
> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application.
-
+The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
-The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning.
-
-
+```console
+APPLICATION
+----APPID
+----NAME
+----TO-PROXY
+----TO-NAPID
+----ADDR
+----MS
+```
**APPID**
Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 7aaa801796..7745749716 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -19,11 +19,37 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f
> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-
-The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.
+The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
-
+```console
+APPLICATION
+---APPADDR
+------ADDR
+------ADDRTYPE
+------PORT
+---------PORTNBR
+---APPAUTH
+------AAUTHDATA
+------AAUTHLEVEL
+------AAUTHNAME
+------AAUTHSECRET
+------AAUTHTYPE
+---AppID
+---BACKCOMPATRETRYDISABLED
+---CONNRETRYFREQ
+---DEFAULTENCODING
+---INIT
+---INITIALBACKOFTIME
+---MAXBACKOFTIME
+---NAME
+---PROTOVER
+---PROVIDER-ID
+---ROLE
+---TO-NAPID
+---USEHWDEVID
+---SSLCLIENTCERTSEARCHCRITERIA
+```
> **Note** All parm names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index e867ae66ef..e6864ea72c 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -29,9 +29,22 @@ Programming considerations:
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure.
-The following image shows the WiFi configuration service provider in tree format.
+The following shows the WiFi configuration service provider in tree format.
+
+```console
+./Device/Vendor/MSFT
+or
+./User/Vendor/MSFT
+WiFi
+---Profile
+------SSID
+---------WlanXML
+---------Proxy
+---------ProxyPacUrl
+---------ProxyWPAD
+---------WiFiCost
+```
-
The following list shows the characteristics and parameters.
diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
index e5e7511669..bb12be25b3 100644
--- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
@@ -12,12 +12,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 06/26/2017
+ms.date: 11/02/2021
---
# Enterprise settings, policies, and app management
-The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).
+The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf).
Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](configuration-service-provider-reference.md).
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 4f22b0b48c..bba543313e 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -17,9 +17,25 @@ ms.date: 11/01/2017
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
-The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
+The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
-
+```console
+./Device/Vendor/MSFT
+WindowsAdvancedThreatProtection
+----Onboarding
+----HealthState
+--------LastConnected
+--------SenseIsRunning
+--------OnboardingState
+--------OrgId
+----Configuration
+--------SampleSharing
+--------TelemetryReportingFrequency
+----Offboarding
+----DeviceTagging
+--------Group
+--------Criticality
+```
The following list describes the characteristics and parameters.
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 468313fb87..cc5b2bff12 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -5,8 +5,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
-ms.date: 07/07/2020
+author: dansimp
+ms.date: 11/02/2021
ms.reviewer:
manager: dansimp
---
@@ -50,8 +50,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
- 0 - Disable Microsoft Defender Application Guard
- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
-- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY
-- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments
+- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004)
+- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004)
**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
@@ -266,7 +266,7 @@ ADMX Info:
**Status**
-Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device.
+Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device.
Value type is integer. Supported operation is Get.
@@ -275,11 +275,13 @@ Value type is integer. Supported operation is Get.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
+ > [!IMPORTANT]
+ > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
-- Bit 6 - Set to 1 when system reboot is required.
+- Bit 6 - Set to 1 when system reboot is required.
**PlatformStatus**
-Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
+Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
Value type is integer. Supported operation is Get.
diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
index 2fe71b5e76..7dfbe89239 100644
--- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
@@ -86,19 +86,19 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
@@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
-| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | |
-| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
+| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
@@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
|--------------------------------------------------------------------------|------------------------------------------|
[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
-[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | 
-[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | 
+[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes
+[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes
[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) |
-[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | 
-[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | 
-[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | 
+[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes
+[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes
+[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes
[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) |
-[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |
-[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | 
+[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes
+[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes
[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) |
-[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | 
+[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes
[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) |
[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) |
[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
@@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) |
[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) |
[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
-[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | 
+[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes
[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) |
-[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | 
+[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes
[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
-[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | 
+[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes
[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) |
[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) |
-[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | 
+[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes
[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) |
-[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | 
+[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes
[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) |
[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) |
[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) |
@@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) |
[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) |
[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
-[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | 
-[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | 
+[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes
+[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes
[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) |
[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) |
[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) |
[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) |
-[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | 
-[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | 
+[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes
+[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes
[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) |
[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) |
-[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | 
+[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes
[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) |
-[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | 
+[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes
[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) |
-[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | 
+[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes
[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) |
-[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | 
+[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes
[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** |
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index 3e8eeea8a1..1267dad41f 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -39,7 +39,7 @@ You can view the dynamic port range on a computer by using the following netsh c
The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP.
-```cmd
+```console
netsh int set dynamic start=number num=range
```
@@ -58,7 +58,7 @@ Since outbound connections start to fail, you will see a lot of the below behavi
- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
- 
+ :::image type="content" alt-text="Screenshot of error for NETLOGON in Event Viewer." source="images/tcp-ts-14.png" lightbox="images/tcp-ts-14.png":::
- Group Policy update failures:
@@ -82,32 +82,32 @@ If you suspect that the machine is in a state of port exhaustion:
2. Open event viewer and under the system logs, look for the events which clearly indicate the current state:
- a. **Event ID 4227**
+ 1. **Event ID 4227**
- 
+ :::image type="content" alt-text="Screenshot of event ID 4227 in Event Viewer." source="images/tcp-ts-18.png" lightbox="images/tcp-ts-18.png":::
- b. **Event ID 4231**
+ 1. **Event ID 4231**
- 
+ :::image type="content" alt-text="Screenshot of event ID 4231 in Event Viewer." source="images/tcp-ts-19.png" lightbox="images/tcp-ts-19.png":::
3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
-After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
-
-You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
-
->[!Note]
->Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
->
->Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
->
->Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
+ After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
+
+ You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
+
+ >[!Note]
+ >Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
+ >
+ >Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
+ >
+ >Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
4. Open a command prompt in admin mode and run the below command
- ```cmd
+ ```console
Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl
```
@@ -119,15 +119,15 @@ The key is to identify which process or application is using all the ports. Belo
### Method 1
-Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process:
+Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process:
-```Powershell
+```powershell
Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending
```
Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports.
-For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet.
+For Windows 7 and Windows Server 2008 R2, you can update your PowerShell version to include the above cmdlet.
### Method 2
@@ -157,7 +157,7 @@ Steps to use Process explorer:
File \Device\AFD
- 
+ :::image type="content" alt-text="Screenshot of Process Explorer." source="images/tcp-ts-22.png" lightbox="images/tcp-ts-22.png":::
10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
@@ -165,7 +165,7 @@ Finally, if the above methods did not help you isolate the process, we suggest y
As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
-```cmd
+```console
netsh int ipv4 set dynamicport tcp start=10000 num=1000
```
@@ -176,7 +176,7 @@ This will set the dynamic port range to start at port 10000 and to end at port 1
For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend.
-```
+```console
@ECHO ON
set v=%1
:loop
@@ -195,5 +195,5 @@ goto loop
## Useful links
- [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
+- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10 and Windows 11)
-- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10, and Windows 11)
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 90c2e725ed..24868ba91e 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -4,10 +4,18 @@
items:
- name: Windows 11
items:
- - name: Start menu layout
- href: customize-start-menu-layout-windows-11.md
- - name: Supported Start menu CSPs
- href: supported-csp-start-menu-layout-windows.md
+ - name: Start menu
+ items:
+ - name: Customize Start menu layout
+ href: customize-start-menu-layout-windows-11.md
+ - name: Supported Start menu CSPs
+ href: supported-csp-start-menu-layout-windows.md
+ - name: Taskbar
+ items:
+ - name: Customize Taskbar
+ href: customize-taskbar-windows-11.md
+ - name: Supported Taskbar CSPs
+ href: supported-csp-taskbar-windows.md
- name: Windows 10 Start and taskbar
items:
- name: Start layout and taskbar
@@ -54,16 +62,14 @@
href: kiosk-methods.md
- name: Prepare a device for kiosk configuration
href: kiosk-prepare.md
- - name: Set up digital signs on Windows 10
+ - name: Set up digital signs
href: setup-digital-signage.md
- name: Set up a single-app kiosk
href: kiosk-single-app.md
- name: Set up a multi-app kiosk
href: lock-down-windows-10-to-specific-apps.md
- - name: Set up a shared or guest PC with Windows 10
+ - name: Set up a shared or guest PC
href: set-up-shared-or-guest-pc.md
- - name: Set up a kiosk on Windows 10 Mobile
- href: mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
- name: Kiosk reference information
items:
- name: More kiosk methods and reference information
@@ -80,9 +86,9 @@
href: kiosk-xml.md
- name: Use AppLocker to create a Windows 10 kiosk
href: lock-down-windows-10-applocker.md
- - name: Use Shell Launcher to create a Windows 10 kiosk
+ - name: Use Shell Launcher to create a Windows client kiosk
href: kiosk-shelllauncher.md
- - name: Use MDM Bridge WMI Provider to create a Windows 10 kiosk
+ - name: Use MDM Bridge WMI Provider to create a Windows client kiosk
href: kiosk-mdm-bridge.md
- name: Troubleshoot kiosk mode issues
href: kiosk-troubleshoot.md
@@ -90,9 +96,9 @@
- name: Use provisioning packages
items:
- - name: Provisioning packages for Windows 10
+ - name: Provisioning packages for Windows client
href: provisioning-packages/provisioning-packages.md
- - name: How provisioning works in Windows 10
+ - name: How provisioning works in Windows client
href: provisioning-packages/provisioning-how-it-works.md
- name: Introduction to configuration service providers (CSPs)
href: provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -112,7 +118,7 @@
href: provisioning-packages/provisioning-script-to-install-app.md
- name: Create a provisioning package with multivariant settings
href: provisioning-packages/provisioning-multivariant.md
- - name: PowerShell cmdlets for provisioning Windows 10 (reference)
+ - name: PowerShell cmdlets for provisioning Windows client (reference)
href: provisioning-packages/provisioning-powershell.md
- name: Windows Configuration Designer command-line interface (reference)
href: provisioning-packages/provisioning-command-line.md
@@ -170,8 +176,6 @@
- name: Reference
items:
- - name: Configure Windows 10 Mobile devices
- href: mobile-devices/configure-mobile.md
- name: Windows Configuration Designer reference
items:
- name: Windows Configuration Designer provisioning settings (reference)
@@ -186,14 +190,8 @@
href: wcd/wcd-admxingestion.md
- name: AssignedAccess
href: wcd/wcd-assignedaccess.md
- - name: AutomaticTime
- href: wcd/wcd-automatictime.md
- name: Browser
href: wcd/wcd-browser.md
- - name: CallAndMessagingEnhancement
- href: wcd/wcd-callandmessagingenhancement.md
- - name: Calling
- href: wcd/wcd-calling.md
- name: CellCore
href: wcd/wcd-cellcore.md
- name: Cellular
@@ -214,8 +212,6 @@
href: wcd/wcd-developersetup.md
- name: DeviceFormFactor
href: wcd/wcd-deviceformfactor.md
- - name: DeviceInfo
- href: wcd/wcd-deviceinfo.md
- name: DeviceManagement
href: wcd/wcd-devicemanagement.md
- name: DeviceUpdateCenter
@@ -223,9 +219,7 @@
- name: DMClient
href: wcd/wcd-dmclient.md
- name: EditionUpgrade
- href: wcd/wcd-editionupgrade.md
- - name: EmbeddedLockdownProfiles
- href: wcd/wcd-embeddedlockdownprofiles.md
+ href: wcd/wcd-editionupgrade.md
- name: FirewallConfiguration
href: wcd/wcd-firewallconfiguration.md
- name: FirstExperience
@@ -234,10 +228,6 @@
href: wcd/wcd-folders.md
- name: HotSpot
href: wcd/wcd-hotspot.md
- - name: InitialSetup
- href: wcd/wcd-initialsetup.md
- - name: InternetExplorer
- href: wcd/wcd-internetexplorer.md
- name: KioskBrowser
href: wcd/wcd-kioskbrowser.md
- name: Licensing
@@ -245,23 +235,13 @@
- name: Location
href: wcd/wcd-location.md
- name: Maps
- href: wcd/wcd-maps.md
- - name: Messaging
- href: wcd/wcd-messaging.md
- - name: ModemConfigurations
- href: wcd/wcd-modemconfigurations.md
- - name: Multivariant
- href: wcd/wcd-multivariant.md
+ href: wcd/wcd-maps.md
- name: NetworkProxy
href: wcd/wcd-networkproxy.md
- name: NetworkQOSPolicy
- href: wcd/wcd-networkqospolicy.md
- - name: NFC
- href: wcd/wcd-nfc.md
+ href: wcd/wcd-networkqospolicy.md
- name: OOBE
- href: wcd/wcd-oobe.md
- - name: OtherAssets
- href: wcd/wcd-otherassets.md
+ href: wcd/wcd-oobe.md
- name: Personalization
href: wcd/wcd-personalization.md
- name: Policies
@@ -269,13 +249,9 @@
- name: Privacy
href: wcd/wcd-privacy.md
- name: ProvisioningCommands
- href: wcd/wcd-provisioningcommands.md
- - name: RcsPresence
- href: wcd/wcd-rcspresence.md
+ href: wcd/wcd-provisioningcommands.md
- name: SharedPC
- href: wcd/wcd-sharedpc.md
- - name: Shell
- href: wcd/wcd-shell.md
+ href: wcd/wcd-sharedpc.md
- name: SMISettings
href: wcd/wcd-smisettings.md
- name: Start
@@ -291,11 +267,7 @@
- name: TabletMode
href: wcd/wcd-tabletmode.md
- name: TakeATest
- href: wcd/wcd-takeatest.md
- - name: TextInput
- href: wcd/wcd-textinput.md
- - name: Theme
- href: wcd/wcd-theme.md
+ href: wcd/wcd-takeatest.md
- name: Time
href: wcd/wcd-time.md
- name: UnifiedWriteFilter
@@ -383,23 +355,3 @@
href: ue-v/uev-application-template-schema-reference.md
- name: Security Considerations for UE-V
href: ue-v/uev-security-considerations.md
-
-
- - name: Use Windows Configuration Designer for Windows 10 Mobile devices
- items:
- - name: Use Windows Configuration Designer to configure Windows 10 Mobile devices
- href: mobile-devices/provisioning-configure-mobile.md
- - name: NFC-based device provisioning
- href: mobile-devices/provisioning-nfc.md
- - name: Barcode provisioning and the package splitter tool
- href: mobile-devices/provisioning-package-splitter.md
- - name: Use the Lockdown Designer app to create a Lockdown XML file
- href: mobile-devices/mobile-lockdown-designer.md
- - name: Configure Windows 10 Mobile using Lockdown XML
- href: mobile-devices/lockdown-xml.md
- - name: Settings and quick actions that can be locked down in Windows 10 Mobile
- href: mobile-devices/settings-that-can-be-locked-down.md
- - name: Product IDs in Windows 10 Mobile
- href: mobile-devices/product-ids-in-windows-10-mobile.md
- - name: Start layout XML for mobile editions of Windows 10 (reference)
- href: mobile-devices/start-layout-xml-mobile.md
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index ac0783dddb..0f58cd49f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -17,7 +17,7 @@ ms.author: greglin
Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
-:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
+:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
## Where is Cortana available for use in my organization?
@@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
| Software | Minimum version |
|---------|---------|
-|Client operating system | Desktop: - Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
+|Client operating system | - Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
@@ -51,7 +51,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later, or Windows 11
-Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, or Windows 11, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
+Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
@@ -77,7 +77,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
-:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
+:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index a43fafd84b..0a26a17390 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -7,46 +7,78 @@ ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
-ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
->[!NOTE]
->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics.
+For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
+- **Allow Cortana**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`
+ - **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)
+ - **Description**: Specifies if users can use Cortana.
-|**Group policy** |**MDM policy** |**Description** |
-|---------|---------|---------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
-> [!IMPORTANT]
-> Cortana won’t work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
-> [!NOTE]
-> Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently support Above Lock. |
-|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
-> [!NOTE]
-> This setting only applies to Windows 10 versions 2004 and later, or Windows 11. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
-|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
-Users will still be able to type queries to Cortana. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization.
-**In Windows 10, version 1511** Cortana won’t work if this setting is turned off (disabled). **In Windows 10, version 1607 and later** Non-speech aspects of Cortana will still work if this setting is turned off (disabled). **In Windows 10, version 2004 and later** Cortana will work, but voice input will be disabled. |
-|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
-**In Windows 10, version 1511** Cortana won’t work if this setting is turned off (disabled).
-**In Windows 10, version 1607 and later**
-Cortana still works if this setting is turned off (disabled).
-**In Windows 10, version 2004 and later**
-Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently use the Location service. |
-|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
-Disable this setting if you only want to allow users to sign in with their Azure AD account. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders.
-**In Windows 10, version 2004 and later** Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, do not currently use the Location service. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search.
-**In Windows 10 Pro edition** This setting can’t be managed.
-**In Windows 10 Enterprise edition** Cortana won't work if this setting is turned off (disabled).
-**In Windows 10, version 2004 and later** This setting no longer affects Cortana. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
-> [!NOTE]
-> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
\ No newline at end of file
+ Cortana won’t work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off.
+
+- **AllowCortanaAboveLock**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock`
+ - **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock)
+ - **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked.
+
+ This setting:
+
+ - Doesn't apply to Windows 10, versions 2004 and later
+ - Doesn't apply to Windows 11
+
+- **LetAppsActivateWithVoice**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice`
+ - **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice)
+ - **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”.
+
+ This setting applies to:
+
+ - Windows 10 versions 2004 and later
+ - Windows 11
+
+ To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization).
+
+- **LetAppsAccessMicrophone**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone`
+ - **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps)
+ - **Description**: Disables Cortana’s access to the microphone. To use this setting, enter Cortana’s Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana.
+
+- **Allow users to enable online speech recognition services**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services`
+ - **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization)
+ - **Description**: Specifies whether users can use voice commands with Cortana in your organization.
+ - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled).
+ - **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
+ - **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled.
+
+- **AllowLocation**
+ - **Group policy**: None
+ - **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation)
+ - **Description**: Specifies whether to allow app access to the Location service.
+ - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled).
+ - **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled).
+ - **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service.
+
+- **AllowMicrosoftAccountConnection**
+ - **Group policy**: None
+ - **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
+ - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
+
+- **Allow search and Cortana to use location**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
+ - **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation)
+ - **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service.
+
+- **Don't search the web or display web results**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`
+ - **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults)
+ - **Description**: Specifies if search can do queries on the web, and if the web results are shown in search.
+ - **Windows 10 Pro edition**: This setting can’t be managed.
+ - **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled).
+ - **Windows 10, version 2004 and later**: This setting no longer impacts Cortana.
diff --git a/windows/configuration/cortana-at-work/images/screenshot1.png b/windows/configuration/cortana-at-work/images/screenshot1.png
new file mode 100644
index 0000000000..ed62740e92
Binary files /dev/null and b/windows/configuration/cortana-at-work/images/screenshot1.png differ
diff --git a/windows/configuration/cortana-at-work/images/screenshot2.png b/windows/configuration/cortana-at-work/images/screenshot2.png
new file mode 100644
index 0000000000..fb7995600e
Binary files /dev/null and b/windows/configuration/cortana-at-work/images/screenshot2.png differ
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index 90070e8930..f10b516b5c 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -1,6 +1,6 @@
---
title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs
-description: Export Start layout to LayoutModification.json with pinned apps, add or remove pinned apps, and use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
+description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
ms.assetid:
manager: dougeby
ms.author: mandia
@@ -10,7 +10,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
-ms.date: 09/14/2021
ms.localizationpriority: medium
---
@@ -28,7 +27,7 @@ For example, you can override the default set of apps with your own a set of pin
To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
-This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Intune MDM policy.
+This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Endpoint Manager policy.
## Before you begin
@@ -52,12 +51,29 @@ Start has the following areas:
- **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default.
- This article shows you how to use the **ConfigureStartPins** policy.
+ This article shows you [how to use the **ConfigureStartPins** policy](#get-the-pinnedlist-json).
-- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. You can use the `Start/ShowOrHideMostUsedApps` CSP, which is a policy to configure the "Most used" section at the top of the all apps list.
-- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file. To prevent files from showing in this section, you can use the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists). This CSP also hides recent files that show from the taskbar.
+- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file.
- You can use an MDM provider, like Microsoft Intune, to manage the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) on your devices. For more information on the Start menu settings you can configure in a Microsoft Intune policy, see [Windows 10 (and later) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
+ The [Start/HideFrequentlyUsedApps CSP](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) exposes settings that configure the "Most used" section, which is at the top of the all apps list.
+
+ In **Endpoint Manager**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
+
+ In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
+
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar`
+
+- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file.
+
+ The [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) exposes settings that prevent files from showing in this section. This CSP also hides recent files that show from the taskbar.
+
+ In **Endpoint Manager**, you can configure this feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
+
+ In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
+
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar`
## Create the JSON file
@@ -111,13 +127,13 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi
Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization.
-MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list.
+MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list.
-This section shows you how to create a pinned list policy in Microsoft Intune. There isn't a Group Policy to create a pinned list.
+This section shows you how to create a pinned list policy in Endpoint Manager. There isn't a Group Policy to create a pinned list.
-### Create a pinned list using a Microsoft Intune policy
+### Create a pinned list using an Endpoint Manager policy
-To deploy this policy in Microsoft Intune, the devices must be enrolled in Microsoft Intune, and managed by your organization. For more information, see [What is device enrollment in Intune?](/mem/intune/enrollment/device-enrollment).
+To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment).
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
@@ -157,13 +173,12 @@ To deploy this policy in Microsoft Intune, the devices must be enrolled in Micro
:::image type="content" source="./images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList":::
8. Select **Save** > **Next** to save your changes.
-9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
+9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure).
-The Windows OS has many CSPs that apply to the Start menu. Using an MDM provider, like Intune, you can use these CSPs to customize Start even more. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md).
+The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md).
-### Deploy the policy using Microsoft Intune
+### Deploy the policy using Endpoint Manager
-When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed before users sign in the first time.
-
-For more information on assigning policies using Microsoft Intune, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
+When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed anytime, including before users sign in the first time.
+For more information and guidance on assigning policies to devices in your organization, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
new file mode 100644
index 0000000000..30af3044b2
--- /dev/null
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -0,0 +1,246 @@
+---
+title: Configure and customize Windows 11 taskbar | Microsoft Docs
+description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded.
+ms.assetid:
+manager: dougeby
+ms.author: mandia
+ms.reviewer: chataylo
+ms.prod: w11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+author: MandiOhlinger
+ms.localizationpriority: medium
+---
+
+# Customize the Taskbar on Windows 11
+
+**Applies to**:
+
+- Windows 11
+
+> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
+
+Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps.
+
+For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar.
+
+To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
+
+This article shows you how to create the XML file, add apps to the XML, and deploy the XML file.
+
+## Before you begin
+
+- There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app).
+
+- There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar.
+
+- The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
+
+- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
+
+- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
+
+ In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
+
+ - [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
+ - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
+ - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
+
+## Create the XML file
+
+1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins two apps to the taskbar - File Explorer and the Command Prompt:
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+2. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
+
+ - ``: Select this option for UWP apps. Add the [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) of the UWP app.
+ - ``: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app.
+
+ You can pin as many apps as you want. Just keep adding them to the list. Remember, the app order in the list is the same order the apps are shown on the taskbar.
+
+ For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
+
+3. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
+
+ - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned.
+ - ``: Unpins the default apps. Only the apps you add are pinned.
+
+ If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned.
+
+4. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region.
+
+ In the following XML example, two regions are added: `US|UK` and `DE|FR`:
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+ The taskbar applies when:
+
+ - If the `` node has a country or region, then the apps are pinned on devices configured for that country or region.
+ - If the `` node doesn't have a region tag for the current region, then the first `` node with no region is applied.
+
+5. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices.
+
+## Use Group Policy or MDM to create and deploy a taskbar policy
+
+Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Endpoint Manager.
+
+This section shows you how to deploy the XML both ways.
+
+### Use Group Policy to deploy your XML file
+
+Use the following steps to add your XML file to a group policy, and apply the policy:
+
+1. Open your policy editor. For example, open Group Policy Management Console (GPMC) for domain-based group policies, or open `gpedit` for local policies.
+2. Go to one of the following policies:
+
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
+
+3. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled.
+
+ Your policy looks like the following policy:
+
+ :::image type="content" source="./images/customize-taskbar-windows-11/start-layout-group-policy.png" alt-text="Add your taskbar layout XML file to the Start Layout policy on Windows devices.":::
+
+ The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices.
+
+4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
+
+ For more information on using group policies, see [Implement Group Policy Objects](/learn/modules/implement-group-policy-objects/).
+
+### Create a Microsoft Endpoint Manager policy to deploy your XML file
+
+MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list.
+
+Use the following steps to create an Endpoint Manager policy that deploys your taskbar XML file:
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
+
+3. Enter the following properties:
+
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
+
+4. In **Basics**, enter the following properties:
+
+ - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Win11: Custom taskbar**.
+ - **Description**: Enter a description for the profile. This setting is optional, and recommended.
+
+5. Select **Next**.
+
+6. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file.
+
+7. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure).
+
+8. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time.
+
+ For more information and guidance on assigning policies using Microsoft Endpoint Manager, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
+
+> [!NOTE]
+> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
+
+## Get the AUMID and Desktop app link path
+
+In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet:
+
+1. On an existing Windows 11 device, pin the app to the Start menu.
+2. Create a folder to save an output file. For example, create the `C:\Layouts` folder.
+3. Open the Windows PowerShell app, and run the following cmdlet:
+
+ ```powershell
+ Export-StartLayout -Path "C:\Layouts\GetIDorPath.xml"
+ ```
+
+4. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file.
+
+## Pin order for all apps
+
+On a taskbar, the following apps are typically pinned:
+
+- Apps pinned by the user
+- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Microsoft Store.
+- Apps pinned by your organization, such as in an unattended Windows setup.
+
+ In an unattended Windows setup file, use the XML file you created in this article. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks).
+
+Apps are pinned in the following order:
+
+1. Windows default apps are pinned first.
+2. User-pinned apps are pinned after the Windows default apps.
+3. XML-pinned apps are pinned after the user-pinned apps.
+
+If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
+
+## OS install and upgrade
+
+- On a clean install of the Windows client, if you apply a taskbar layout, the following apps are pinned to the taskbar:
+
+ - Apps you specifically add
+ - Any default apps you don't remove
+
+ After the taskbar layout is applied, users can pin more apps, change the order, and unpin apps.
+
+- On a Windows client upgrade, apps are already pinned to the taskbar. These apps may have been pinned by a user, by an image, or by using Windows unattended setup. For upgrades, the taskbar layout applies the following behavior:
+
+ - If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps.
+ - If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned.
+ - If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps.
+ - New apps in updated layout file are pinned after the user's pinned apps.
+
+ After the layout is applied, users can pin more apps, change the order, and unpin apps.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 42b70e6248..8a44c817f3 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -1,5 +1,5 @@
---
-title: Customize Windows 10 Start and tasbkar with provisioning packages (Windows 10)
+title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10)
description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
ms.reviewer:
@@ -21,9 +21,11 @@ ms.localizationpriority: medium
- Windows 10
-
> **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+> [!NOTE]
+> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 10. It's not supported on Windows 11.
+
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
> [!IMPORTANT]
@@ -136,5 +138,5 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
\ No newline at end of file
+- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index f5540c6ddd..6d4c284574 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -1,6 +1,6 @@
---
title: Find the Application User Model ID of an installed app
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
author: greg-lindsay
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index d24b76cd0c..5a019e0862 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -1,5 +1,5 @@
---
-title: Guidelines for choosing an app for assigned access (Windows 10)
+title: Guidelines for choosing an app for assigned access (Windows 10/11)
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
@@ -9,8 +9,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
-ms.date: 10/02/2018
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
---
@@ -19,7 +18,8 @@ manager: dansimp
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
@@ -45,9 +45,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
## Guidelines for web browsers
-In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
+Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
-In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website.
+In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
@@ -55,7 +55,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app
>Kiosk Browser cannot access intranet websites.
-**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
+**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
@@ -162,7 +162,7 @@ Check the guidelines published by your selected app and set up accordingly.
## Develop your kiosk app
-Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
+Assigned access in Windows client leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access).
diff --git a/windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png b/windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png
new file mode 100644
index 0000000000..99252bd139
Binary files /dev/null and b/windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png differ
diff --git a/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png b/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png
new file mode 100644
index 0000000000..9baebd536f
Binary files /dev/null and b/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png differ
diff --git a/windows/configuration/images/kiosk-account.PNG b/windows/configuration/images/kiosk-account.PNG
deleted file mode 100644
index f78f9b9d56..0000000000
Binary files a/windows/configuration/images/kiosk-account.PNG and /dev/null differ
diff --git a/windows/configuration/images/kiosk-common.PNG b/windows/configuration/images/kiosk-common.PNG
deleted file mode 100644
index f5873a53aa..0000000000
Binary files a/windows/configuration/images/kiosk-common.PNG and /dev/null differ
diff --git a/windows/configuration/images/seven.png b/windows/configuration/images/seven.png
deleted file mode 100644
index 285a92df0b..0000000000
Binary files a/windows/configuration/images/seven.png and /dev/null differ
diff --git a/windows/configuration/images/six.png b/windows/configuration/images/six.png
deleted file mode 100644
index e8906332ec..0000000000
Binary files a/windows/configuration/images/six.png and /dev/null differ
diff --git a/windows/configuration/includes/multi-app-kiosk-support-windows11.md b/windows/configuration/includes/multi-app-kiosk-support-windows11.md
new file mode 100644
index 0000000000..0213f9a5ac
--- /dev/null
+++ b/windows/configuration/includes/multi-app-kiosk-support-windows11.md
@@ -0,0 +1,12 @@
+---
+author: MandiOhlinger
+ms.author: mandia
+ms.date: 09/21/2021
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: w10
+ms.topic: include
+---
+
+Currently, multi-app kiosk is only supported on Windows 10. It's not supported on Windows 11.
\ No newline at end of file
diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md
index 67f49befe3..c772c6f064 100644
--- a/windows/configuration/kiosk-additional-reference.md
+++ b/windows/configuration/kiosk-additional-reference.md
@@ -1,8 +1,8 @@
---
-title: More kiosk methods and reference information (Windows 10)
+title: More kiosk methods and reference information (Windows 10/11)
description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@@ -19,7 +19,8 @@ ms.topic: reference
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
## In this section
@@ -31,11 +32,8 @@ Topic | Description
[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience.
[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.
-[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps.
-[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
-[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
+[Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps.
+[Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
+[Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.
-
-
-
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md
index 73c8fdcc17..ec7e635617 100644
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk-mdm-bridge.md
@@ -1,8 +1,8 @@
---
-title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10)
+title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11)
description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@@ -11,16 +11,16 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 11/07/2018
ms.topic: article
---
-# Use MDM Bridge WMI Provider to create a Windows 10 kiosk
+# Use MDM Bridge WMI Provider to create a Windows client kiosk
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index 9efa2b652d..0c36aa0d52 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -1,9 +1,9 @@
---
-title: Configure kiosks and digital signs on Windows desktop editions (Windows 10)
-ms.reviewer:
+title: Configure kiosks and digital signs on Windows 10/11 desktop editions
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
-description: In this article, learn about the methods for configuring kiosks and digital signs on Windows desktop editions.
+description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,21 +18,29 @@ ms.topic: article
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use:
+**Applies to**
-- **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
+- Windows 10
+- Windows 11
+
+Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use:
+
+- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
- A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.
+ A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lock screen.
- 
+ 
-- **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
+- **A multi-app kiosk**: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
- A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device.
+ > [!NOTE]
+ > [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
- 
+ A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device.
-Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
+ 
+
+Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
@@ -40,19 +48,19 @@ There are several kiosk configuration methods that you can choose from, dependin
- Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
+ Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
- **Which type of kiosk do you need?**
- If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
+ If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
-- **Which edition of Windows 10 will the kiosk run?**
+- **Which edition of Windows client will the kiosk run?**
- All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
+ All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home.
- **Which type of user account will be the kiosk account?**
@@ -62,10 +70,8 @@ There are several kiosk configuration methods that you can choose from, dependin
>[!IMPORTANT]
->Single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
-
-
-
+>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
+
## Methods for a single-app kiosk running a UWP app
You can use this method | For this edition | For this kiosk account type
@@ -100,15 +106,14 @@ You can use this method | For this edition | For this kiosk account type
Method | App type | Account type | Single-app kiosk | Multi-app kiosk
--- | --- | --- | :---: | :---:
-[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X |
-[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X |
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X |
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X
-Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X
-[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X |
-[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X
+[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | ✔️ |
+[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | ✔️ |
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ |
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | ✔️
+Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | ✔️ | ✔️
+[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ |
+[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | ✔️
>[!NOTE]
->For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps.
-
+>For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps.
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index 9f817f7581..a12e1a5b19 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -1,8 +1,8 @@
---
-title: Policies enforced on kiosk devices (Windows 10)
+title: Policies enforced on kiosk devices (Windows 10/11)
description: Learn about the policies enforced on a device when you configure it as a kiosk.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@@ -11,7 +11,6 @@ ms.sitesec: library
ms.pagetype: edu, security
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 07/30/2018
ms.author: greglin
ms.topic: article
---
@@ -21,7 +20,8 @@ ms.topic: article
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index ba1aaa2b58..5eef3d900c 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -1,8 +1,8 @@
---
-title: Prepare a device for kiosk configuration (Windows 10)
+title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs
description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@@ -19,49 +19,206 @@ ms.topic: article
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
-> [!WARNING]
-> For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account.
->
-> Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that might allow an attacker subverting the assigned access application to gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
-> [!IMPORTANT]
-> [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
->
-> Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
+
+## Before you begin
+
+- [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
+- Kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that's set up as a kiosk.
+- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account.
+
+ Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account.
+
+- MDM providers, such as [Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
+
+ - [Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started)
+ - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
+ - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
## Configuration recommendations
-For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
-Recommendation | How to
---- | ---
-Hide update notifications (New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications** -or- Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) -or- Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**: **\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
-Enable and schedule automatic updates | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)` -or- Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`
**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.
To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
-Enable automatic restart at the scheduled time | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time**
-Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled**
-Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
-Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
-Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
-Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
-Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
-Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
-Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options:
+ - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications`
+
+ - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+
+ - **Use the registry**:
+
+ 1. Open Registry Editor (regedit).
+ 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
+ 3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
+ 4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
+
+ - `1`: Hides all notifications except restart warnings.
+ - `2`: Hides all notifications, including restart warnings.
+
+- **Enable and schedule automatic updates**. To enable this feature, you have the following options:
+
+ - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`.
+ - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+
+ You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available.
+
+- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options:
+
+ - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`.
+
+ - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+
+- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
+
+ 1. Open Registry Editor (regedit).
+ 2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
+ 3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
+
+- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting.
+
+ Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11.
+
+ Your options:
+
+ - Use the **Settings** app:
+ 1. Open the **Settings** app.
+ 2. Go to **System** > **Tablet mode**.
+ 3. Configure the settings you want.
+
+ - Use the **Action Center**:
+ 1. On your device, swipe in from the left.
+ 2. Select **Tablet mode**.
+
+- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
+
+ - **Use an MDM provider**: In Endpoint Manager, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
+ - **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen).
+
+- **Disable the hardware power button**: To enable this feature, you have the following options:
+
+ - **Use the Settings app**:
+ 1. Open the **Settings** app.
+ 2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
+ 3. Select **Do nothing**.
+ 4. **Save changes**.
+
+ - **Use Group Policy**: Your options:
+
+ - `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**.
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
+ - `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy.
+
+ To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group.
+
+ - **Use an MDM provider**: In Endpoint Manager, you have some options:
+
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `Power\Select Power Button Action on Battery`: Set to **Take no action**.
+ - `Power\Select Power Button Action on Plugged In`: Set to **Take no action**.
+ - `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it.
+
+ - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting:
+
+ - `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
+
+ When looking at settings, check the supported OS for each setting to make sure it applies.
+
+ - [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage.
+
+- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options:
+
+ - **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
+
+ - **Use MDM**: In Endpoint Manager, you have the following option:
+
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
+
+ - `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**.
+
+- **Disable the camera**: To enable this feature, you have the following options:
+
+ - **Use the Settings app**:
+ 1. Open the **Settings** app.
+ 2. Go to **Privacy** > **Camera**.
+ 3. Select **Allow apps use my camera** > **Off**.
+
+ - **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
+
+ - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Endpoint Manager, you have the following options:
+
+ - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage.
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
+
+ - `Camera\Allow camera`: Set to **Not allowed**.
+
+- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options:
+
+ - **Use the Settings app**:
+
+ 1. Open the **Settings** app.
+ 2. Go to **System** > **Notifications & actions**.
+ 3. In **Show notifications on the lock screen**, select **Off**.
+
+ - **Use Group policy**:
+ - `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
+
+ - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Endpoint Manager, you have the following options:
+
+ - [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
+
+ - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
+ - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
+
+ When looking at settings, check the supported OS for each setting to make sure it applies.
+
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
+ - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
+
+- **Disable removable media**: To enable this feature, you have the following options:
+
+ - **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation.
+
+ To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
+
+ - **Use an MDM provider**: In Endpoint Manager, you have the following options:
+
+ - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
+
+ - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
+
+ To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
+
+ When looking at settings, check the supported OS for each setting to make sure it applies.
+
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
+
+ To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
## Enable logging
Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
-
+:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
## Automatic logon
-In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
+You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
> [!NOTE]
-> If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
+> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
> [!TIP]
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
@@ -88,7 +245,7 @@ In addition to the settings in the table, you may want to set up **automatic log
- *DefaultPassword*: set value as the password for the account.
> [!NOTE]
- > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
+ > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
@@ -104,150 +261,56 @@ In addition to the settings in the table, you may want to set up **automatic log
The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
-> [!Note]
-> Where applicable, the table notes which features are optional that you can configure for assigned access.
+- **Accessibility**: Assigned access does not change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
-
-
-
-
-
-
-
-
Feature
-
Description
-
-
-
-
-
Accessibility
-
Assigned access does not change Ease of Access settings.
-
We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features:
-
-
-
-
-
-
-
-
Key combination
-
Blocked behavior
-
-
-
-
-
Left Alt+Left Shift+Print Screen
-
Open High Contrast dialog box.
-
-
-
Left Alt+Left Shift+Num Lock
-
Open Mouse Keys dialog box.
-
-
-
Windows logo key+U
-
Open Ease of Access Center.
-
-
-
-
-
-
-
Assigned access Windows PowerShell cmdlets
-
In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference.
-
-
-
Key sequences blocked by assigned access
-
When in assigned access, some key combinations are blocked for assigned access users.
-
Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.
-
Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings.
-
-
-
-
-
-
-
-
Key combination
-
Blocked behavior for assigned access users
-
-
-
-
-
Alt+Esc
-
Cycle through items in the reverse order from which they were opened.
-
-
-
Ctrl+Alt+Esc
-
Cycle through items in the reverse order from which they were opened.
-
-
-
Ctrl+Esc
-
Open the Start screen.
-
-
-
Ctrl+F4
-
Close the window.
-
-
-
Ctrl+Shift+Esc
-
Open Task Manager.
-
-
-
Ctrl+Tab
-
Switch windows within the application currently open.
-
-
-
LaunchApp1
-
Open the app that is assigned to this key.
-
-
-
LaunchApp2
-
Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.
-
-
-
LaunchMail
-
Open the default mail client.
-
-
-
Windows logo key
-
Open the Start screen.
-
-
-
-
-
Keyboard Filter settings apply to other standard accounts.
If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic.
-
Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education.
-
-
-
-
Power button
-
Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.
-
For more information on removing the power button or disabling the physical power button, see Custom Logon.
-
-
-
Unified Write Filter (UWF)
-
UWFsettings apply to all users, including those with assigned access.
Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.
Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
+ | Key combination | Blocked behavior |
+ | --- | --- |
+ | Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. |
+ | Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. |
+ | Windows logo key + U | Open Ease of Access Center. |
+- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/)
-
+- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users.
+
+ Alt + F4, Alt + Shift + Tab, Alt + Tab are not blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
+
+ Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
+
+ | Key combination | Blocked behavior for assigned access users |
+ | --- | --- |
+ | Alt + Esc | Cycle through items in the reverse order from which they were opened. |
+ | Ctrl + Alt + Esc | Cycle through items in the reverse order from which they were opened. |
+ | Ctrl + Esc | Open the Start screen. |
+ | Ctrl + F4 | Close the window. |
+ | Ctrl + Shift + Esc | Open Task Manager. |
+ | Ctrl + Tab | Switch windows within the application currently open. |
+ | LaunchApp1 | Open the app that is assigned to this key. |
+ | LaunchApp2 | Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator. |
+ | LaunchMail | Open the default mail client. |
+ | Windows logo key | Open the Start screen. |
+
+ Keyboard Filter settings apply to other standard accounts.
+
+- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
+
+ [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
+
+- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it's in assigned access.
+
+ For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
+
+- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access.
+
+ For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).
+
+- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
+
+ If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess).
+
+- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
+
+ For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
## Testing your kiosk in a virtual machine (VM)
@@ -257,8 +320,8 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
-
+:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
-To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog.
+To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog:
-
\ No newline at end of file
+:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session.":::
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 73e724bd75..3b720d1bbe 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -1,8 +1,8 @@
---
-title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10)
+title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11)
description: Shell Launcher lets you change the default shell that launches when a user signs in to a device.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@@ -14,13 +14,14 @@ ms.localizationpriority: medium
ms.topic: article
---
-# Use Shell Launcher to create a Windows 10 kiosk
+# Use Shell Launcher to create a Windows client kiosk
**Applies to**
- Windows 10 Ent, Edu
+- Windows 11
-Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
+Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
>[!NOTE]
>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
@@ -30,7 +31,7 @@ Using Shell Launcher, you can configure a device that runs an application as the
>- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
>- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies
-You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
+You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
## Differences between Shell Launcher v1 and Shell Launcher v2
@@ -292,7 +293,7 @@ Value|Description
These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
-To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommeded to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
+To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommended to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
``` xml
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 4a123b3408..3a71008734 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -1,8 +1,8 @@
---
-title: Set up a single-app kiosk (Windows 10)
-description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
+title: Set up a single-app kiosk on Windows 10/11
+description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@@ -11,18 +11,18 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 01/09/2019
ms.topic: article
---
-# Set up a single-app kiosk
+# Set up a single-app kiosk on Windows 10/11
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
-A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
+A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
@@ -33,48 +33,69 @@ A single-app kiosk uses the Assigned Access feature to run a single app above th
You have several options for configuring your single-app kiosk.
-Method | Description
---- | ---
-[Locally, in Settings](#local) | The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.
This method is supported on Windows 10 Pro, Enterprise, and Education.
-[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This method is supported on Windows 10 Pro, Enterprise, and Education.
-[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
-[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
+- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.
+ This option supports:
->[!TIP]
->You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
+ - Windows 10 Pro, Enterprise, and Education
+ - Windows 11
+
+- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
+
+ This option supports:
+
+ - Windows 10 Pro, Enterprise, and Education
+ - Windows 11
+
+- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings.
+
+ This option supports:
+
+ - Windows 10 Pro version 1709+, Enterprise, and Education
+ - Windows 11
+
+- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration.
+
+ This option supports:
+
+ - Windows 10 Pro version 1709+, Enterprise, and Education
+ - Windows 11
+
+> [!TIP]
+> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
>
->Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
-
+> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
## Set up a kiosk in local Settings
->App type: UWP
+>App type:
+> - UWP
>
->OS edition: Windows 10 Pro, Ent, Edu
+>OS:
+> - Windows 10 Pro, Ent, Edu
+> - Windows 11
>
->Account type: Local standard user
+>Account type:
+> - Local standard user
You can use **Settings** to quickly configure one or a few devices as a kiosk.
-When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
-- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
+- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
-- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
+- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
-
+ 
-### Instructions for Windows 10, version 1809
+### Windows 10 version 1809+ / Windows 11
-When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time.
+When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings:
-**To set up assigned access in PC settings**
-
-1. Go to **Start** > **Settings** > **Accounts** > **Other users**.
+1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**.
2. Select **Set up a kiosk > Assigned access**, and then select **Get started**.
@@ -94,15 +115,15 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**.
-### Instructions for Windows 10, version 1803 and earlier
+### Windows 10 version 1803 and earlier
-When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
+When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
**To set up assigned access in PC settings**
-1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
+1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
2. Select **Set up assigned access**.
@@ -110,26 +131,24 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
-5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
+5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account signs in.
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
-
-
-
-
-
-
## Set up a kiosk using Windows PowerShell
->App type: UWP
+>App type:
+> - UWP
>
->OS edition: Windows 10 Pro, Ent, Edu
+>OS:
+> - Windows 10 Pro, Ent, Edu
+> - Windows 11
>
->Account type: Local standard user
+>Account type:
+> - Local standard user
@@ -137,59 +156,49 @@ You can use any of the following PowerShell cmdlets to set up assigned access on
Before you run the cmdlet:
-1. Log in as administrator.
+1. Sign in as administrator.
2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
-3. Log in as the Assigned Access user account.
+3. Sign in as the Assigned Access user account.
4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
-5. Log out as the Assigned Access user account.
-6. Log in as administrator.
+5. Sign out as the Assigned Access user account.
+6. Sign in as administrator.
-To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
+To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
-**Configure assigned access by AppUserModelID and user name**
-
-```
-Set-AssignedAccess -AppUserModelId -UserName
-```
-**Configure assigned access by AppUserModelID and user SID**
-
-```
-Set-AssignedAccess -AppUserModelId -UserSID
-```
-**Configure assigned access by app name and user name**
-
-```
-Set-AssignedAccess -AppName -UserName
-```
-**Configure assigned access by app name and user SID**
-
-```
-Set-AssignedAccess -AppName -UserSID
-```
+- **Configure assigned access by AppUserModelID and user name**: `Set-AssignedAccess -AppUserModelId -UserName `
+- **Configure assigned access by AppUserModelID and user SID**: `Set-AssignedAccess -AppUserModelId -UserSID `
+- **Configure assigned access by app name and user name**: `Set-AssignedAccess -AppName -UserName `
+- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName -UserSID `
> [!NOTE]
-> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
+> To set up assigned access using `-AppName`, the user account that you enter for assigned access must have signed in at least once.
[Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md).
[Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**).
-To remove assigned access, using PowerShell, run the following cmdlet.
+To remove assigned access, using PowerShell, run the following cmdlet:
-```
+```powershell
Clear-AssignedAccess
```
-
## Set up a kiosk using the kiosk wizard in Windows Configuration Designer
->App type: UWP or Windows desktop application
+>App type:
+> - UWP
+> - Windows desktop application
>
->OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types
+>OS:
+> - Windows 10 Pro version 1709+ for UWP only
+> - Windows 10 Ent, Edu for UWP and Windows desktop applications
+> - Windows 11
>
->Account type: Local standard user, Active Directory
+>Account type:
+> - Local standard user
+> - Active Directory
@@ -199,69 +208,136 @@ Clear-AssignedAccess
When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application.
+[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and select **Next**, configure the following settings:
-[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
+1. Enable device setup:
+ :::image type="content" source="images/set-up-device-details.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software.":::
+ If you want to enable device setup, select **Set up device**, and configure the following settings:
-
-
Enable device setup if you want to configure settings on this page.If enabled:Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device.
-
Enable network setup if you want to configure settings on this page.If enabled:Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
-
Enable account management if you want to configure settings on this page. If enabled:You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
-
You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with appsWarning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application.
-
To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
-
You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.
-
On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.
-
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
-
+ - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`.
+ - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades).
+ - **Configure devices for shared use**: This setting optimizes Windows client for shared use scenarios, and isn't necessary for a kiosk scenario. Set this value to **No**, which may be the default.
+ - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
+2. Set up the network:
+
+ :::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
+
+ If you want to enable network setup, select **Set up network**, and configure the following settings:
+
+ - **Set up network**: To enable wireless connectivity, select **On**.
+ - **Network SSID**: Enter the Service Set Identifier (SSID) of the network.
+ - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
+
+3. Enable account management:
+
+ :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+
+ If you want to enable account management, select **Account Management**, and configure the following settings:
+
+ - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
+ - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
+ - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+
+ If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+
+ You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+
+ - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
+
+4. Add applications:
+
+ :::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode.":::
+
+ To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md).
+
+ > [!WARNING]
+ > If you select the plus button to add an application, you must enter an application for the provisioning package to validate. If you select the plus button by mistake, then:
+ >
+ > 1. In **Installer Path**, select any executable file.
+ > 2. When the **Cancel** button shows, select it.
+ >
+ > These steps let you complete the provisioning package without adding an application.
+
+5. Add certificates:
+
+ :::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
+
+ To add a certificate to the devices, select **Add certificates**, and configure the following settings:
+
+ - **Certificate name**: Enter a name for the certificate.
+ - **Certificate path**: Browse and select the certificate you want to add.
+
+6. Configure the kiosk account, and the kiosk mode app:
+
+ :::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device.":::
+
+ To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings:
+
+ - **Create a local standard user account to run the kiosk mode app**: Select **Yes** to create a local standard user account, and enter the **User name** and **Password**. This user account runs the app. If you select **No**, make sure you have an existing user account to run the kiosk app.
+ - **Auto sign-in**: Select **Yes** to automatically sign in the account when the device starts. **No** doesn't automatically sign in the account. If there are issues with auto sign-in after you apply the provisioning package, then check the Event Viewer logs for auto logon issues (`Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational`).
+ - **Configure the kiosk mode app**: Enter the **User name** of the account that will run the kiosk mode app. In **App type**, select the type of app to run. Your options:
+ - **Windows desktop application**: Enter the path or filename. If the file path is in the PATH environment variable, then you can use the filename. Otherwise, the full path is required.
+ - **Universal Windows app**: Enter the AUMID.
+
+7. Configure kiosk common settings:
+
+ :::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings.":::
+
+ To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings:
+
+ - **Set tablet mode**
+ - **Customize user experience**
+ - **Configure power settings**
+
+8. Finish:
+
+ :::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::
+
+ To complete the wizard, select **Finish**, and configure the following setting:
+
+ - **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password.
>[!NOTE]
->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
+>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-
-
[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
-
-
-
-
-
-
-
## Set up a kiosk or digital sign using Microsoft Intune or other MDM service
->App type: UWP
+>App type:
+> - UWP
>
->OS edition: Windows 10 Pro (version 1709), Ent, Edu
+>OS:
+> - Windows 10 Pro version 1709+, Ent, Edu
+> - Windows 11
>
->Account type: Local standard user, Azure AD
-
-
+>Account type:
+> - Local standard user
+> - Azure AD
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
>[!TIP]
->Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
+>A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
-To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
+To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
## Sign out of assigned access
-To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
+To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
-**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
+`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
-
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index e34bee8204..83bba68ec0 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -1,8 +1,8 @@
---
-title: Troubleshoot kiosk mode issues (Windows 10)
+title: Troubleshoot kiosk mode issues (Windows 10/11)
description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions"]
ms.prod: w10
@@ -20,12 +20,13 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
## Single-app kiosk issues
>[!TIP]
->We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#test-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
+>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#testing-your-kiosk-in-a-virtual-machine-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
### Sign-in issues
@@ -38,6 +39,9 @@ Check the Event Viewer logs for auto logon issues under **Applications and Servi
## Multi-app kiosk issues
+> [!NOTE]
+> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
+
### Unexpected results
For example:
diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md
index 13ba945753..a43d130016 100644
--- a/windows/configuration/kiosk-validate.md
+++ b/windows/configuration/kiosk-validate.md
@@ -1,8 +1,8 @@
---
-title: Validate kiosk configuration (Windows 10)
-description: In this article, learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
+title: Validate kiosk configuration (Windows 10/11)
+description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@@ -11,7 +11,6 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 07/30/2018
ms.topic: article
---
@@ -20,7 +19,8 @@ ms.topic: article
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device.
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index 36dd8ce054..5ffdb783e5 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -1,8 +1,8 @@
---
-title: Assigned Access configuration kiosk XML reference (Windows 10)
-description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10.
+title: Assigned Access configuration kiosk XML reference (Windows 10/11)
+description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@@ -11,7 +11,6 @@ ms.sitesec: library
ms.pagetype: edu, security
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 10/02/2018
ms.author: greglin
ms.topic: article
---
@@ -21,7 +20,8 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
## Full XML sample
@@ -255,9 +255,16 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## Global Profile Sample XML
-Global Profile is currently supported in Windows 10, version 2004. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
-This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in
+Global Profile is supported on:
+
+- Windows 10 version 2004+
+- Windows 11
+
+Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
+
+This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in.
+
```xml
[!NOTE]
->Updated for Windows 10, version 1903 and later.
-Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+>Updated for Windows 10, version 1903+.
+
+The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release:
```xml
@@ -814,7 +822,8 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
```
-Here is the schema for new features introduced in Windows 10 1809 release
+The following XML is the schema for new features introduced in Windows 10 1809 release:
+
```xml
```
-Schema for Windows 10, version 1909 and later
+The following XML is the schema for Windows 10 version 1909+:
+
```xml
```
-To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the autolaunch feature that was added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias.
+
+For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+
```xml
[!NOTE]
+> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
+
A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
The following table lists changes to multi-app kiosk in recent updates.
-| New features and improvements | In update |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| - Configure [a single-app kiosk profile](#profile) in your XML file
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
+| New features and improvements | In update |
+| --- | ---|
+| - Configure [a single-app kiosk profile](#profile) in your XML file
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)
- [Automatically launch an app](#allowedapps) when the user signs in
- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809
**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
>[!WARNING]
@@ -43,7 +45,10 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
## Configure a kiosk in Microsoft Intune
-To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows).
+To configure a kiosk in Microsoft Intune, see:
+
+- [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings)
+- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows)
@@ -59,7 +64,7 @@ Watch how to use a provisioning package to configure a multi-app kiosk.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
-If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
+If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
### Prerequisites
@@ -114,7 +119,7 @@ You can start your file by pasting the following XML (or any other examples in t
There are two types of profiles that you can specify in the XML:
- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
-- **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
+- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
A lockdown profile section in the XML has the following entries:
@@ -146,7 +151,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
##### AllowedApps
-**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
@@ -189,7 +194,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
##### FileExplorerNamespaceRestrictions
-Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune.
+Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune.
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
@@ -231,7 +236,7 @@ FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerele
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
-The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
+The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
A few things to note here:
@@ -269,7 +274,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
```
>[!NOTE]
->If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
+>If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
@@ -333,7 +338,7 @@ The following example shows how to specify an account to sign in automatically.
```
-In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
+Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
```xml
@@ -411,7 +416,7 @@ Group accounts are specified using ``. Nested groups are not supporte
#### [Preview] Global Profile
-Global profile is added in current Windows 10 Prerelease. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios.
+Global profile is added in Windows 10. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios.
Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, global profile will be applied for the user.
@@ -538,7 +543,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
>[!TIP]
->In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage?view=win10-ps) with `-LogsDirectoryPath` to get logs for the operation.
+>In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation.
#### During initial setup, from a USB drive
@@ -572,7 +577,6 @@ Provisioning packages can be applied to a device during the first-run experience
-
### Use MDM to deploy the multi-app configuration
Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index ac5d6ad1fd..df13bd302b 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -13,14 +13,13 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
---
# Lockdown features from Windows Embedded 8.1 Industry
**Applies to**
-- Windows 10
+- Windows 10
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
@@ -90,7 +89,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
MDM and Group Policy
The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.
Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
-
MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only).
+
MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Removable storage.
Assigned Access: launch a UWP app on sign-in and lock access to system
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index 6dc4c73ddb..bbdaae9711 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -12,15 +12,14 @@ ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 05/02/2018
ms.topic: article
---
# Manage Wi-Fi Sense in your company
-**Applies to:**
-- Windows 10
-- Windows 10 Mobile
+**Applies to**
+
+- Windows 10 version 1709 and older
>[!IMPORTANT]
>Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
diff --git a/windows/configuration/mobile-devices/configure-mobile.md b/windows/configuration/mobile-devices/configure-mobile.md
deleted file mode 100644
index fd9c3065aa..0000000000
--- a/windows/configuration/mobile-devices/configure-mobile.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Configure Windows 10 Mobile devices
-description:
-keywords: Windows 10, MDM, WSUS, Windows update
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Configure Windows 10 Mobile devices
-
-Windows 10 Mobile enables administrators to define what users can see and do on a device, which you might think of as "configuring" or "customizing" or "device lockdown". Your device configuration can provide a standard Start screen with pre-installed apps, or restrict various settings and features, or even limit the device to run only a single app (kiosk).
-
-## In this section
-
-| Topic | Description |
-| --- | --- |
-| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | You can configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. |
-| [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) | Use Windows Configuration Designer to create provisioning packages. Using provisioning packages, you can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. |
-| [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) | The Lockdown Designer app provides a guided wizard-like process to generate a Lockdown XML file that you can apply to devices running Windows 10 Mobile. |
-| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. |
-| [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) | On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. This reference topic describes the supported elements and attributes for the LayoutModification.xml file. |
-| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. |
-| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. |
-
diff --git a/windows/configuration/mobile-devices/images/doneicon.png b/windows/configuration/mobile-devices/images/doneicon.png
deleted file mode 100644
index d80389f35b..0000000000
Binary files a/windows/configuration/mobile-devices/images/doneicon.png and /dev/null differ
diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
deleted file mode 100644
index 87f2b7b7cf..0000000000
--- a/windows/configuration/mobile-devices/lockdown-xml.md
+++ /dev/null
@@ -1,868 +0,0 @@
----
-title: Configure Windows 10 Mobile using Lockdown XML (Windows 10)
-description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
-ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F
-ms.reviewer:
-manager: dansimp
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security, mobile
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 07/27/2017
----
-
-# Configure Windows 10 Mobile using Lockdown XML
-
-
-**Applies to**
-
-- Windows 10 Mobile
-
-Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
-
-This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file.
-
-In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file.
-
-> [!NOTE]
-> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](../kiosk-methods.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp).
-
-If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md) first.
-
-## Overview of the lockdown XML file
-
-Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-**Default** and the entries beneath it establish the default device settings that are applied for every user. The device will always boot to this Default role. You can create additional roles on the device, each with its own settings, in the same XML file. [Learn how to add roles.](#configure-additional-roles)
-
-The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device.
-
->[!TIP]
->Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure.
-
-## Action Center
-
-
-
-The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
-
-In the following example, the Action Center is enabled and both policies are disabled.
-
-```xml
-
-```
-
-In the following example, Action Center and the toast policy are enabled, and the notifications policy is disabled.
-
-```xml
-
-```
-
-The following example is a complete lockdown XML file that disables Action Center, notifications, and toasts.
-
-```xml
-
-
-
-
-
-
-
-```
-
-## Apps
-
-
-
-The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
-
-You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
-
-The following example makes Outlook Calendar available on the device.
-
-```xml
-
-
-
-
-
-```
-
-When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
-
-
-
-Tile sizes are:
-* Small: 1x1
-* Medium: 2x2
-* Large: 2x4
-
-Based on 6 columns, you can pin six small tiles or three medium tiles on a single row. A large tile can be combined with two small tiles or one medium tile on the same row. Obviously, you cannot set a medium tile for LocationX=5, or a large tile for LocationX=3, 4, or 5.
-
-If the tile configuration in your file exceeds the available width, such as setting a large tile to start at position 3 on the X axis, that tile is appended to the bottom of the Start screen. Also, if the tile configuration in your file would result in tiles overlapping each other, the overlapping tiles are instead appended to the bottom of the Start screen.
-
-In the following example, Outlook Calendar and Outlook Mail are pinned to the Start screen, and the Store app is allowed but is not pinned to Start.
-
-```xml
-
-
-
-
- Large
-
- 0
- 0
-
-
-
-
-
-
- Medium
-
- 4
- 0
-
-
-
-
-
-
-```
-
-That layout would appear on a device like this:
-
-
-
-You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
-
-```xml
-
-
-
-
- Medium
-
- 4
- 0
-
-
-
-
-```
-
-To add apps to the folder, include **ParentFolderId** in the application XML, as shown in the following example:
-
-```xml
-
-
-
-
- Large
-
- 0
- 0
-
- 1
-
-
-
-
-
- Medium
-
- 4
- 0
-
- 1
-
-
-
-```
-When an app is contained in a folder, its **PinToStart** configuration (tile size and location) applies to its appearance when the folder is opened.
-
-## Buttons
-
-
-
-In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify.
-
-### ButtonLockdownList
-
-When a user taps a button that is in the lockdown list, nothing will happen. The following table lists which events can be disabled for each button.
-
-Button | Press | PressAndHold | All
----|:---:|:---:|:--:|-
-Start |  |  | 
-Back |  |  | 
-Search |  |  | 
-Camera |  |  | 
-Custom 1, 2, and 3 |  |  | 
-
-> [!NOTE]
-> Custom buttons are hardware buttons that can be added to devices by OEMs.
-
-In the following example, press-and-hold is disabled for the Back button.
-
-```xml
-
-
-
-
-
-```
-
-If you don't specify a button event, all actions for the button are disabled. In the next example, all actions are disabled for the camera button.
-
-```xml
-
-
-
-
-
-```
-
-### ButtonRemapList
-
-ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons.
-
-> [!WARNING]
-> Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role.
-
-To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open.
-In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app.
-
-```xml
-
-
-
-
-
-```
-
-## CSPRunner
-
-
-
-You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
-
-CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role.
-
-In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section.
-
-> [!NOTE]
-> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](/windows/client-management/mdm/structure-of-oma-dm-provisioning-files).
-
-Let's start with the structure of SyncML in the following example:
-
-```xml
-SyncML>
-
- |
- #
-
-
- CSP Path
-
-
- Data Type
-
- Value
-
- |
-
-
-
-```
-
-This table explains the parts of the SyncML structure.
-
-SyncML entry | Description
----|---
-**Add** or **Replace** | Use **Add** to apply a setting or policy that is not already configured. Use **Replace** to change an existing setting or policy.
-**CmdID** | SyncBody can contain multiple commands. Each command in a lockdown XML file must have a different **CmdID** value.
-**Item** | **Item** is a wrapper for a single setting. You can include multiple items for the command if they all use the same **Add** or **Replace** operation.
-**Target > LocURI** | **LocURI** is the path to the CSP.
-**Meta > Format** | The data format required by the CSP.
-**Data** | The value for the setting.
-
-
-## Menu items
-
-
-
-Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
-
-```xml
-
-
-
-```
-
-## Settings
-
-
-
-The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings.
-
-```xml
-
-
-
- ```
-In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI.
-
-In the following example for Windows 10, version 1703, all system setting pages that have a settings URI are enabled.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-```
-
-If you list a setting or quick action in **Settings**, all settings and quick actions that are not listed are blocked. To remove access to all of the settings in the system, do not include the settings application in [Apps](#apps).
-
-For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md).
-
-
- ## Tiles
-
- 
-
- By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
-
- > [!IMPORTANT]
- > If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.
-
- ```xml
-
-
-
- ```
-
- ## Start screen size
-
- Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values:
-
-- Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx).
-- Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx).
-
- If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.
-
- [Learn about effective pixel width (epx) for different device size classes.](/windows/uwp/design/layout/screen-sizes-and-breakpoints-for-responsive-design)
-
-
-## Configure additional roles
-
-You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
-
-[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](/uwp/api/Windows.Embedded.DeviceLockdown).
-
-In the XML file, you define each role with a GUID and name, as shown in the following example:
-
-```xml
-
-```
-
-You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file.
-
-You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Validate your XML
-
-You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](/windows/client-management/mdm/enterpriseassignedaccess-xsd).
-
-## Add lockdown XML to a provisioning package
-
-
-Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740)
-
-1. Follow the instructions at [Build and apply a provisioning package](../provisioning-packages/provisioning-create-package.md) to create a project, selecting **Common to all Windows mobile editions** for your project.
-
-2. In **Available customizations**, go to **Runtime settings** > **EmbeddedLockdownProfiles** > **AssignedAccessXml**.
-
-3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
-
- 
-
-4. On the **File** menu, select **Save.**
-
-5. On the **Export** menu, select **Provisioning package**.
-
-6. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-
-7. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
-
- - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
-
-8. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
-
- Optionally, you can click **Browse** to change the default output location.
-
-9. Click **Next**.
-
-10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
-
- If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
- If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](../provisioning-packages/provisioning-create-package.md).
-
-## Push lockdown XML using MDM
-
-
-After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp).
-
-To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as `<` in place of <). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
-
-## Full Lockdown.xml example
-
-```xml
-
-
-
-
-
-
-
-
- Large
-
- 0
- 0
-
-
-
-
-
-
- Small
-
- 0
- 2
-
-
-
-
-
-
- Medium
-
- 2
- 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID
-
-
- int
-
-
- 7
-
-
-
-
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground
-
-
- int
-
-
- 1
-
-
-
-
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName
-
-
- chr
- text/plain
-
- c:\windows\system32\lockscreen\480x800\Wallpaper_05.jpg
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Small
-
-
-
-
-
-
-
-
- Small
-
- 0
- 0
-
-
-
-
-
-
- Large
-
- 0
- 2
-
-
-
-
-
-
-
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID
-
-
- int
-
-
- 10
-
-
-
-
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground
-
-
- int
-
-
- 0
-
-
-
-
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName
-
-
- chr
- text/plain
-
- c:\windows\system32\lockscreen\480x800\Wallpaper_08.jpg
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Small
-
- 0
- 0
-
-
-
-
-
-
- Small
-
- 1
- 0
-
-
-
-
-
-
- Medium
-
- 2
- 0
-
-
-
-
-
-
-
-
- Small
-
- 0
- 2
-
-
-
-
-
-
- Medium
-
- 2
- 2
-
-
-
-
-
-
-
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID
-
-
- int
-
-
- 2
-
-
-
-
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground
-
-
- int
-
-
- 1
-
-
-
-
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName
-
-
- chr
- text/plain
-
- c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Learn more
-
-[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
-
-## Related topics
-
-
-[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
-
-[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
deleted file mode 100644
index a7d82f6088..0000000000
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ /dev/null
@@ -1,172 +0,0 @@
----
-title: Use the Lockdown Designer app to create a Lockdown XML file (Windows 10)
-description:
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Use the Lockdown Designer app to create a Lockdown XML file
-
-
-
-Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile.
-
-When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm).
-
-The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md).
-
-
-
-## Overview
-
-Lockdown Designer can be installed on a PC running Windows 10, version 1607 or later. After you install the app, you connect a mobile device running Windows 10 Mobile, version 1703, to the PC.
-
->[!NOTE]
->Lockdown Designer will not make any changes to the connected device, but we recommend that you use a test device.
-
-Lockdown Designer will populate the available settings and apps to configure from the connected device. Using the different pages in the app, you select the settings, apps, and layout to be included in the lockdown XML.
-
-When you're done, you export the configuration to a lockdown XML file. This configuration can be applied to any device running Windows 10 Mobile, version 1703.
-
->[!NOTE]
->You can also import an existing WEHLockdown.xml file to Lockdown Designer and modify it in the app.
-
-## Prepare the test mobile device
-
-Perform these steps on the device running Windows 10 Mobile that you will use to supply the settings, apps, and layout to Lockdown Designer.
-
-1. Install all apps on the device that you want to include in the configuration, including line-of-business apps.
-
-2. On the mobile device, go to **Settings** > **Update & security** > **For developers**, enable **Developer mode**.
-
-3. Read the disclaimer, then click **Yes** to accept the change.
-
-4. Enable **Device discovery**, and then turn on **Device Portal**.
-
->[!IMPORTANT]
->Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
->
->
-
-## Prepare the PC
-
-[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC.
-
-If the PC and the test mobile device are on the same Wi-Fi network, you can connect the devices using Wi-Fi.
-
-If you want to connect the PC and the test mobile device using a USB cable, perform the following steps on the PC:
-
-1. [Install the Windows 10 Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-10-sdk). This enables the **Windows Phone IP over USB Transport (IpOverUsbSvc)** service.
-
-2. Open a command prompt as an administrator and run `checknetisolation LoopbackExempt -a -n=microsoft.lockdowndesigner_8wekyb3d8bbwe`
-
- >[!NOTE]
- >Loopback is permitted only for development purposes. To remove the loopback exemption when you're done using Lockdown Designer, run `checknetisolation LoopbackExempt -d -n=microsoft.lockdowndesigner_8wekyb3d8bbwe`
-
-
-
-
-## Connect the mobile device to Lockdown Designer
-
-**Using Wi-Fi**
-
-1. Open Lockdown Designer.
-
-2. Click **Create new project**.
-
-3. On the test mobile device, go to **Settings** > **Update & security** > **For developers** > **Connect using:** and get the IP address listed for **Wi-Fi**.
-
-2. On the **Project setting** > **General settings** page, in **Remote device IP address**, enter the IP address for the test mobile device, using `https://`.
-
-3. Click **Pair**.
-
- 
-
- **Connect to remote device** appears.
-
-4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed.
-
-5. On the PC, in **Connect to remote device**, enter the code from the mobile device.
-
-6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
-
- 
-
-7. Click the **Save** icon and enter a name for your project.
-
-**Using a USB cable**
-
-1. Open Lockdown Designer.
-
-2. Click **Create new project**.
-
-2. Connect a Windows 10 Mobile device to the PC by USB and unlock the device.
-
-3. On the **Project setting** > **General settings** page, click **Pair**.
-
- 
-
- **Connect to remote device** appears.
-
-4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed.
-
-5. On the PC, in **Connect to remote device**, enter the code from the mobile device.
-
-6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
-
- 
-
-7. Click the **Save** icon and enter a name for your project.
-
-
-## Configure your lockdown XML settings
-
-The apps and settings available in the pages of Lockdown Designer should now be populated from the test mobile device. The following table describes what you can configure on each page.
-
-| Page | Description |
-| --- | --- |
-|  | Each app from the test mobile device is listed. Select the apps that you want visible to users.You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
-|  | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) |
-|  | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
-|  | On this page, you select the settings that you want visible to users. |
-|  | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
-|  | This page contains several settings that you can configure:- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
-|  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
-
-
-## Validate and export
-
-On the **Validate and export** page, click **Validate** to make sure your lockdown XML is valid.
-
->[!WARNING]
->Lockdown Designer cannot validate SyncML that you imported to CSPRunner.
-
-Click **Export** to generate the XML file for your project. You can select the location to save the file.
-
-## Create and configure multiple roles
-
-You can create additional roles for the device and have unique configurations for each role. For example, you could have one configuration for a **Manager** role and a different configuration for a **Salesperson** role.
-
->[!NOTE]
->Using multiple roles on a device requires a login application that displays the list of roles and allows users to sign in to Azure Active Directory. [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin)
-
-**For each role:**
-
-1. On the **Project setting** page, click **Role management**.
-
-2. Click **Add a role**.
-
-3. Enter a name for the role, and then click **Save**.
-
-4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
-
- 
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
deleted file mode 100644
index fbea1f61d8..0000000000
--- a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
+++ /dev/null
@@ -1,254 +0,0 @@
----
-title: Product IDs in Windows 10 Mobile (Windows 10)
-description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
-ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C
-ms.reviewer:
-manager: dansimp
-keywords: ["lockdown"]
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: mobile
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 07/27/2017
----
-
-# Product IDs in Windows 10 Mobile
-
-
-**Applies to**
-
-- Windows 10 Mobile
-
-You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
-
-## Apps included in Windows 10 Mobile
-
-
-The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile.
-
-
-
-
-
-
-
-## Related topics
-
-
-[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
-
-[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
deleted file mode 100644
index b2cd8a0e5c..0000000000
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Configure Windows 10 Mobile devices with Configuration Designer
-description: Use Windows Configuration Designer to configure Windows 10 Mobile devices
-keywords: phone, handheld, lockdown, customize
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Use Windows Configuration Designer to configure Windows 10 Mobile devices
-
-Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, you can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes.
-
-A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-
-Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Microsoft Store. [Learn more about installing Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
-
-## Create a provisioning package using the wizard
-
-The **Provision Windows mobile devices** wizard lets you configure common settings for devices running Windows 10 Mobile in a simple, graphical workflow.
-
-### Start a new project
-
-1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut,
-
- or
-
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
-
-2. On the **Start** page, choose **Provision Windows mobile devices**.
-
-3. Enter a name for your project, and then click **Next**.
-
-
-### Configure settings in the wizard
-
-
-
Enter a device name. Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise.
-
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
-
Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
-
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
-
-
-After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
-
-### Apply provisioning package
-
-You can apply a provisioning package to a device running Windows 10 Mobile by using:
-
-- removable media
-- copying the provisioning package to the device
-- [NFC tags](provisioning-nfc.md)
-- [barcodes](provisioning-package-splitter.md)
-
-### Using removable media
-
-1. Insert an SD card containing the provisioning package into the device.
-2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
-
- 
-
-3. Click **Add**.
-
-4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
-
- 
-
-### Copying the provisioning package to the device
-
-1. Connect the device to your PC through USB.
-
-2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
-
-3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
-
- 
-
-
-## Related topics
-
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Use the package splitter tool](provisioning-package-splitter.md)
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
deleted file mode 100644
index 42ff3ff229..0000000000
--- a/windows/configuration/mobile-devices/provisioning-nfc.md
+++ /dev/null
@@ -1,144 +0,0 @@
----
-title: NFC-based device provisioning (Windows 10)
-description:
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
----
-
-# NFC-based device provisioning
-
-
-**Applies to**
-
-- Windows 10 Mobile
-
-
-Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package.
-
-The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE.
-
-## Provisioning OOBE UI
-
-All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provisioning capability incorporated into the operating system. On devices that support NFC and are running Windows 10 Mobile Enterprise or Windows 10 Mobile, NFC-based device provisioning provides an additional mechanism to provision the device during OOBE.
-
-On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning.
-
-
-
-If there is an error during NFC provisioning, the device will show a message if any of the following errors occur:
-
-- **NFC initialization error** - This can be caused by any error that occurs before data transfer has started. For example, if the NFC driver isn't enabled or there's an error communicating with the proximity API.
-- **Interrupted download or incomplete package transfer** - This error can happen if the peer device is out of range or the transfer is aborted. This error can be caused whenever the device being provisioned fails to receive the provisioning package in time.
-- **Incorrect package format** - This error can be caused by any protocol error that the operating system encounters during the data transfer between the devices.
-- **NFC is disabled by policy** - Enterprises can use policies to disallow any NFC usage on the managed device. In this case, NFC functionality is not enabled.
-
-## NFC tag
-
-You can use an NFC tag for minimal provisioning and use an NFC-enabled device tag for larger provisioning packages.
-
-The protocol used for NFC-based device provisioning is similar to the one used for NFC provisioning on Windows Embedded 8.1 Handheld, which supported both single-chunk and multi-chunk transfer when the total transfer didn't fit in one NDEP message size. In Windows 10, the provisioning stack contains the following changes:
-
-- **Protocol namespace** - The protocol namespace has changed from Windows.WEH.PreStageProv.Chunk to Windows.ProvPlugins.Chunk.
-- **Tag data type** - The tag data type has changed from UTF-8 into binary raw data.
-
-
->[!NOTE]
->The NFC tag doesn't go in the secondary device. You can transfer the NFC tag by using a provisioning package from device-to-device using the NFC radio or by re-reading the provisioning package from an NFC tag.
-
-### NFC tag components
-
-NFC tags are suitable for very light applications where minimal provisioning is required. The size of NFC tags that contain provisioning packages is typically 4 KB to 10 KB.
-
-To write to an NFC tag, you will need to use an NFC Writer tool, or you can use the [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool to transfer your provisioning package file to your NFC tag. The tool must publish a binary message (write) a Chunk data type to your NFC tag.
-
-The following table describes the information that is required when writing to an NFC tag.
-
-| Required field | Description |
-| --- | --- |
-| **Type** | Windows.ProvPlugins.Chunk The receiving device uses this information to understand information in the Data field. |
-| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. |
-
-
-
-### NFC provisioning helper
-
-The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format:
-
-
Version(1 byte)
Leading (1 byte)
Order(1 byte)
Total(1 byte)
Chunk payload(N bytes)
-
-For each part:
-- Version should always be 0x00.
-- Leading byte should always be 0xFF.
-- Order represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0).
-- Total represents the total number of chunks to be transferred for the whole message.
-- Chunk payload represents each of the split parts.
-
-The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk.
-
-**Code example**
-
-The following example shows how to write to an NFC tag. This example assumes that the tag is already in range of the writing device.
-
-```
- private async void WriteProvPkgToTag(IStorageFile provPkgFile)
- {
- var buffer = await FileIO.ReadBufferAsync(provPkgFile);
- if (null == buffer)
- {
- return;
- }
-
- var proximityDevice = Windows.Networking.Proximity.ProximityDevice.GetDefault();
- if (null == proximityDevice)
- {
- return;
- }
-
- var dataWriter = new DataWriter();
- var header = new NfcProvHeader();
-
- header.version = NFC_PROV_MESSAGE_CURRENT_VERSION; // Currently the supported version is 0x00.
- header.leading = NFC_PROV_MESSAGE_LEADING_BYTE; // The leading byte should be always 0xFF.
- header.index = 0; // Assume we only have 1 chunk.
- header.total = 1; // Assume we only have 1 chunk.
-
- // Write the header first and then the raw data of the provisioning package.
- dataWriter.WriteBytes(GetBytes(header));
- dataWriter.WriteBuffer(buffer);
-
- var chunkPubId = proximityDevice.PublishBinaryMessage(
- "Windows:WriteTag.ProvPlugins.Chunk",
- dataWriter.DetachBuffer());
- }
-```
-
-
-### NFC-enabled device tag components
-
-Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds.
-
-To provision from an NFC-enabled source device, use [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section.
-
-For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device.
-
-
-
-
-
-
-
-## Related topics
-
-- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md)
-
-- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)
-
-
diff --git a/windows/configuration/mobile-devices/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md
deleted file mode 100644
index 3bfd9c31b4..0000000000
--- a/windows/configuration/mobile-devices/provisioning-package-splitter.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Barcode provisioning and the package splitter tool (Windows 10)
-description:
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Barcode provisioning and the package splitter tool
-
-
-**Applies to**
-
-- Windows 10 Mobile
-
-Enterprises that do bulk provisioning can use barcode-based device provisioning to provide a provisioning package to the device that's being provisioned.
-
-The barcode provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). To use barcodes to provision a device, your devices must have an integrated barcode scanner. You can get the barcode format that the scanner supports from your OEM or device provider, and use your existing tools and processes to convert a provisioning package into barcodes.
-
-Enterprise IT professionals who want to use a barcode to provision mobile devices during OOBE can use the package splitter tool, **ppkgtobase64.exe**, which is a command-line tool to split the provisioning package into smaller files.
-
-The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes.
-
-When you [install Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder.
-
-## Prerequisites
-
-Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool.
-
-- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md).
-- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](../provisioning-packages/provisioning-command-line.md).
-
-## To use the package splitter tool (ppkgtobase64.exe)
-
-1. Open a command-line window with administrator privileges.
-
-
-2. From the command-line, navigate to the Windows Configuration Designer install directory.
-
- On an x64 computer, type:
- ```
- cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86
- ```
-
- - or -
-
- On an x86 computer, type:
-
- ```
- cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86
- ```
-
-3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command.
-
-
-### Syntax
-
-```
-ppkgtobase64.exe -i -o -s [-c] [/?]
-```
-
-### Switches and arguments
-
-| Switch | Required? | Arguments |
-| --- | --- | --- |
-| -i | Yes | Use to specify the path and file name of the provisioning package that you want to divide into smaller files.The tool allows you to specify the absolute path of the provisioning package file. However, if you don't specify the path, the tool will search the current folder for a package that matches the file name you specified. |
-| -o | Yes | Use to specify the directory where the output files will be saved. |
-| -s | Yes | Use to specify the size of the block that will be encoded in Base64. |
-| -c | No | Use to delete any files in the output directory if the directory already exists. This parameter is optional. |
-| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
-
-
-
-
-
-## Related topics
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
deleted file mode 100644
index a265a544e3..0000000000
--- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ /dev/null
@@ -1,202 +0,0 @@
----
-title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10)
-description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
-ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
-ms.reviewer:
-manager: dansimp
-keywords: kiosk, lockdown, assigned access
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: mobile
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 07/27/2017
----
-
-# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
-
-
-**Applies to**
-
-- Windows 10 Mobile
-
-
-A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You use the [Enterprise Assigned Access](#enterprise-assigned-access) configuration service provider (CSP) to configure a kiosk experience. You can also configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise, version 1607 or earlier, for kiosk mode by using the [Apps Corner](#apps-corner) feature. (Apps Corner is removed in version 1703.)
-
-
-
-## Enterprise Assigned Access
-
-
-Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list.
-
->[!NOTE]
->The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.
-
-
-
-### Set up Enterprise Assigned Access in MDM
-
-In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md).
-
-[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](/windows/client-management/mdm/enterpriseassignedaccess-csp)
-
-### Set up assigned access using Windows Configuration Designer
-
->[!IMPORTANT]
->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-#### Create the *AssignedAccess*.xml file
-
-1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp).
-
- >[!NOTE]
- >Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
-
-#### Create the provisioning package
-
-1. [Install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
-
-2. Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
-
-3. Choose **Advanced provisioning**.
-
-
-
-4. Name your project, and click **Next**.
-
-5. Choose **All Windows mobile editions** and click **Next**.
-
-6. On **New project**, click **Finish**. The workspace for your package opens.
-
-7. Expand **Runtime settings** > **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**.
-
-8. Click **Browse** to select the *AssignedAccess*.xml file.
-
-9. On the **File** menu, select **Save.**
-
-10. On the **Export** menu, select **Provisioning package**.
-
-11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-
-12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
-
- - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
-
-13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
-
- Optionally, you can click **Browse** to change the default output location.
-
-14. Click **Next**.
-
-15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
-
- If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
- If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-17. Select the **output location** link to go to the location of the package.
-
-#### Distribute the provisioning package
-
-You can distribute that .ppkg to mobile devices using any of the following methods:
-
-- Removable media (USB/SD)
-
- **To apply a provisioning package from removable media**
-
- 1. Copy the provisioning package file to the root directory on a micro SD card.
-
- 2. On the device, insert the micro SD card containing the provisioning package.
-
- 3. Go to **Settings** > **Accounts** > **Provisioning.**
-
- 4. Tap **Add a package**.
-
- 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**.
-
- 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**.
-
- 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
-
- 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
-
-- Email
-
- **To apply a provisioning package sent in email**
-
- 1. Send the provisioning package in email to an account on the device.
-
- 2. Open the email on the device, and then double-tap the attached file.
-
- 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
-
- 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
-
-- USB tether
-
- **To apply a provisioning package using USB tether**
-
- 1. Connect the device to your PC by USB.
-
- 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device.
-
- 3. The provisioning package installation dialog will appear on the phone.
-
- 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
-
- 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
-
-
-
-## Apps Corner
-
->[!NOTE]
->For Windows 10, versions 1507, 1511, and 1607 only.
-
-Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner.
-
-**To set up Apps Corner**
-
-1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**.
-
-2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done .
-
-3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back**  to the Apps Corner settings.
-
-4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
-
-5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
-
-6. Press **Back**  when you're done.
-
-**To use Apps Corner**
-
-1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner** > launch .
-
- >[!TIP]
- >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen.
-
-2. Give the device to someone else, so they can use the device and only the one app you chose.
-
-3. When they're done and you get the device back, press and hold Power , and then swipe right to exit Apps Corner.
-
-## Related topics
-
-
-[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](../kiosk-single-app.md)
-
-[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
-
-[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
-
diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
deleted file mode 100644
index c616794f43..0000000000
--- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
+++ /dev/null
@@ -1,499 +0,0 @@
----
-title: Lock down settings and quick actions in Windows 10 Mobile
-description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
-ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
-ms.reviewer:
-manager: dansimp
-keywords: ["lockdown"]
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: mobile
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 07/27/2017
----
-
-# Settings and quick actions that can be locked down in Windows 10 Mobile
-
-
-**Applies to**
-
-- Windows 10 Mobile
-
-This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
-
-## Settings lockdown in Windows 10, version 1703
-
-In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI.
-
-For example, in place of **SettingsPageDisplay**, you would use **ms-settings:display**.
-
-See the [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page.
-
-## Settings lockdown in Windows 10, version 1607 and earlier
-
-
-You can use Lockdown.xml to configure lockdown settings.
-
-The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app.
-
-
-
-
-
-
Main menu
-
Sub-menu
-
Page name
-
-
-
-
-
System
-
-
SettingsPageGroupPCSystem
-
-
-
-
Display
-
SettingsPageDisplay
-
-
-
-
Notifications & actions
-
SettingsPageAppsNotifications
-
-
-
-
Phone
-
SettingsPageCalls
-
-
-
-
Messaging
-
SettingsPageMessaging
-
-
-
-
Battery
-
SettingsPageBatterySaver
-
-
-
-
Apps for websites
-
SettingsPageAppsForWebsites
-
-
-
-
Storage
-
SettingsPageStorageSenseStorageOverview
-
-
-
-
Driving mode
-
SettingsPageDrivingMode
-
-
-
-
Offline maps
-
SettingsPageMaps
-
-
-
-
About
-
SettingsPagePCSystemInfo
-
-
-
Devices
-
-
SettingsPageGroupDevices
-
-
-
-
Default camera
-
SettingsPagePhotos
-
-
-
-
Bluetooth
-
SettingsPagePCSystemBluetooth
-
-
-
-
NFC
-
SettingsPagePhoneNFC
-
-
-
-
Mouse
-
SettingsPageMouseTouchpad
-
-
-
-
USB
-
SettingsPageUsb
-
-
-
Network and wireless
-
-
SettingsPageGroupNetwork
-
-
-
-
Cellular & SIM
-
SettingsPageNetworkCellular
-
-
-
-
Wi-Fi
-
SettingsPageNetworkWiFi
-
-
-
-
Airplane mode
-
SettingsPageNetworkAirplaneMode
-
-
-
-
Data usage
-
SettingsPageDataSenseOverview
-
-
-
-
Mobile hotspot
-
SettingsPageNetworkMobileHotspot
-
-
-
-
VPN
-
SettingsPageNetworkVPN
-
-
-
Personalization
-
-
SettingsPageGroupPersonalization
-
-
-
-
Start
-
SettingsPageBackGround
-
-
-
-
Colors
-
SettingsPageColors
-
-
-
-
Sounds
-
SettingsPageSounds
-
-
-
-
Lock screen
-
SettingsPageLockscreen
-
-
-
-
Glance screen
-
SettingsPageGlance
-
-
-
-
Navigation bar
-
SettingsNagivationBar
-
-
-
Accounts
-
-
SettingsPageGroupAccounts
-
-
-
-
Your info
-
SettingsPageAccountsPicture
-
-
-
-
Sign-in options
-
SettingsPageAccountsSignInOptions
-
-
-
-
Email & app accounts
-
SettingsPageAccountsEmailApp
-
-
-
-
Access work or school
-
SettingsPageWorkAccess
-
-
-
-
Sync your settings
-
SettingsPageAccountsSync
-
-
-
-
Apps corner
-
(disabled in Assigned Access)
-
SettingsPageAppsCorner
-
-
-
Time & language
-
-
SettingsPageGroupTimeRegion
-
-
-
-
Date & time
-
SettingsPageTimeRegionDateTime
-
-
-
-
Language
-
SettingsPageTimeLanguage
-
-
-
-
Region
-
SettingsPageTimeRegion
-
-
-
-
Keyboard
-
SettingsPageKeyboard
-
-
-
-
Speech
-
SettingsPageSpeech
-
-
-
Ease of access
-
-
SettingsPageGroupEaseOfAccess
-
-
-
-
Narrator
-
SettingsPageEaseOfAccessNarrator
-
-
-
-
Magnifier
-
SettingsPageEaseOfAccessMagnifier
-
-
-
-
High contrast
-
SettingsPageEaseOfAccessHighContrast
-
-
-
-
Closed captions
-
SettingsPageEaseOfAccessClosedCaptioning
-
-
-
-
More options
-
SettingsPageEaseOfAccessMoreOptions
-
-
-
Privacy
-
-
SettingsPageGroupPrivacy
-
-
-
-
Location
-
SettingsPagePrivacyLocation
-
-
-
-
Camera
-
SettingsPagePrivacyWebcam
-
-
-
-
Microphone
-
SettingsPagePrivacyMicrophone
-
-
-
-
Motion
-
SettingsPagePrivacyMotionData
-
-
-
-
Notifications
-
SettingsPagePrivacyNotifications
-
-
-
-
Speech. inking, & typing
-
SettingsPagePrivacyPersonalization
-
-
-
-
Account info
-
SettingsPagePrivacyAccountInfo
-
-
-
-
Contacts
-
SettingsPagePrivacyContacts
-
-
-
-
Calendar
-
SettingsPagePrivacyCalendar
-
-
-
-
Phone calls
-
SettingsPagePrivacyPhoneCall
-
-
-
-
Call history
-
SettingsPagePrivacyCallHistory
-
-
-
-
Email
-
SettingsPagePrivacyEmail
-
-
-
Messaging
-
SettingsPagePrivacyMessaging
-
-
-
-
Radios
-
SettingsPagePrivacyRadios
-
-
-
-
Continue App Experiences
-
SettingsPagePrivacyCDP
-
-
-
-
Background apps
-
SettingsPagePrivacyBackgroundApps
-
-
-
-
Accessory apps
-
SettingsPageAccessories
-
-
-
-
Advertising ID
-
SettingsPagePrivacyAdvertisingId
-
-
-
-
Other devices
-
SettingsPagePrivacyCustomPeripherals
-
-
-
-
Feedback and diagnostics
-
SettingsPagePrivacySIUFSettings
-
-
-
Update and security
-
-
SettingsPageGroupRestore
-
-
-
-
Phone update
-
SettingsPageRestoreMusUpdate
-
-
-
-
Windows Insider Program
-
SettingsPageFlights
-
-
-
-
Device encryption
-
SettingsPageGroupPCSystemDeviceEncryption
-
-
-
-
Backup
-
SettingsPageRestoreOneBackup
-
-
-
-
Find my phone
-
SettingsPageFindMyDevice
-
-
-
-
For developers
-
SettingsPageSystemDeveloperOptions
-
-
-
OEM
-
-
SettingsPageGroupExtensibility
-
-
-
-
Extensibility
-
SettingsPageExtensibility
-
-
-
-
-
-
-## Quick actions lockdown
-
-
-Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional.
-
-You can specify the quick actions as follows:
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-
-
-
-
-## Related topics
-
-
-[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
-
-[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
-
-
-
-
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
deleted file mode 100644
index 858de39174..0000000000
--- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md
+++ /dev/null
@@ -1,393 +0,0 @@
----
-title: Start layout XML for mobile editions of Windows 10 (Windows 10)
-description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 mobile editions.
-keywords: ["start screen"]
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: greg-lindsay
-ms.author: greglin
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Start layout XML for mobile editions of Windows 10 (reference)
-
-
-**Applies to**
-
-- Windows 10
-
->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
-
-
-On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience.
-
-On Windows 10 Mobile, the customized Start works by:
-
-- Windows 10 performs checks to determine the correct base default layout. The checks include the mobile edition, whether the device is dual SIM, the column width, and whether Cortana is supported for the country/region.
-- Windows 10 ensures that it does not overwrite the layout that you have set and will sequence the level checks and read the file layout such that any multivariant settings that you have set is not overwritten.
-- Windows 10 reads the LayoutModification.xml file and appends the group to the Start screen.
-
-## Default Start layouts
-
-The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support.
-
-
-
-The diagrams show:
-
-- Tile coordinates - These are determined by the row number and the column number.
-- Fold - Tiles "above the fold" are visible when users first navigate to the Start screen. Tiles "below the fold" are visible after users scroll up.
-- Partner-customizable tiles - OEM and mobile operator partners can customize these areas of the Start screen by prepinning content. The partner configurable slots are:
- - Rows 6-9
- - Rows 16-19
-
-## LayoutModification XML
-
-IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles.
-
->[!NOTE]
->To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file:
->- Do not leave spaces or white lines in between each element.
->- Do not add comments inside the StartLayout node or any of its children elements.
->- Do not add multiple rows of comments.
-
-The following table lists the supported elements and attributes for the LayoutModification.xml file.
-
-| Element | Attributes | Description |
-| --- | --- | --- |
-| LayoutModificationTemplate | xmlnsxmlns:defaultlayoutxmlns:startVersion | Use to describe the changes to the default Start layout. |
-| DefaultLayoutOverrideParent:LayoutModificationTemplate | n/a | Use to specify the customized Start layout for mobile devices. |
-| StartLayoutCollectionParent:DefaultLayoutOverride | n/a | Use to contain a collection of Start layouts. |
-| StartLayoutParent:StartLayoutCollection | n/a | Use to specify the tile groups that will be appended to the Start screen. |
-| start:GroupParent:StartLayout | Name | Use to specify the tiles that need to be appended to the default Start layout. |
-| start:TileParent:start:Group | AppUserModelIDSizeRowColumn | Use to specify any Universal Windows app that has a valid **AppUserModelID** attribute. |
-| start:SecondaryTileParent:start:Group | AppUserModelIDTileIDArgumentsDisplayNameSquare150x150LogoUriShowNameOnSquare150x150LogoShowNameOnWide310x150LogoWide310x150LogoUriBackgroundColorForegroundTextIsSuggestedAppSizeRowColumn | Use to pin a Web link through a Microsoft Edge secondary tile. |
-| start:PhoneLegacyTileParent:start:Group | ProductIDSizeRowColumn | Use to add a mobile app that has a valid **ProductID** attribute. |
-| start:FolderParent:start:Group | NameSizeRowColumn | Use to add a folder to the mobile device's Start screen. |
-| RequiredStartTilesParent:LayoutModificationTemplate | n/a | Use to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. |
-
-### start:Group
-
-**start:Group** tags specify a group of tiles that will be appended to Start. You can set the **Name** attribute to specify a name for the Start group.
-
->[!NOTE]
->Windows 10 Mobile only supports one Start group.
-
- For Windows 10 Mobile, **start:Group** tags can contain the following tags or elements:
-
-- **start:Tile**
-- **start:SecondaryTile**
-- **start:PhoneLegacyTile**
-- **start:Folder**
-
-### Specify Start tiles
-
-To pin tiles to Start, you must use the right kind of tile depending on what you want to pin.
-
-#### Tile size and coordinates
-
-All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start.
-
-The following table describes the attributes that you must use to specify the size and location for the tile.
-
-| Attribute | Description |
-| --- | --- |
-| Size | Determines how large the tile will be. - 1x1 - small tile- 2x2 - medium tile- 4x2 - wide tile- 4x4 - large tile |
-| Row | Specifies the row where the tile will appear. |
-| Column | Specifies the column where the tile will appear. |
-
-For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group.
-
-#### start:Tile
-
-You can use the **start:Tile** tag to pin a Universal Windows app to Start.
-
-To specify an app, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
-
-The following example shows how to pin the Microsoft Edge Universal Windows app:
-
-```XML
-
-```
-
-#### start:SecondaryTile
-
-You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile.
-
-The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
-
-```XML
-
-```
-
-The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
-
-| Attribute | Required/optional | Description |
-| --- | --- | --- |
-| AppUserModelID | Required | Must point to Microsoft Edge. |
-| TileID | Required | Must uniquely identify your Web site tile. |
-| Arguments | Required | Must contain the URL of your Web site. |
-| DisplayName | Required | Must specify the text that you want users to see. |
-| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. |
-| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. |
-| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. |
-| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. |
-| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". |
-| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". |
-
- Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app.
-
-#### start:PhoneLegacyTile
-
-You can use the **start:PhoneLegacyTile** tag to add a mobile app that has a valid ProductID, which you can find in the app's manifest file. The **ProductID** attribute must be set to the GUID of the app.
-
-The following example shows how to add a mobile app with a valid ProductID using the start:PhoneLegacyTile tag:
-
-```XML
-
-```
-
-#### start:Folder
-
-You can use the **start:Folder** tag to add a folder to the mobile device's Start screen.
-
-You must set these attributes to specify the size and location of the folder: **Size**, **Row**, and **Column**.
-
-Optionally, you can also specify a folder name by using the **Name** attribute. If you specify a name, set the value to a string.
-
-The position of the tiles inside a folder is relative to the folder. You can add any of the following tile types to the folder:
-
-- Tile - Use to pin a Universal Windows app to Start.
-- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile.
-- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID.
-
-The following example shows how to add a medium folder that contains two apps inside it:
-
-```XML
-
-
-
-
-```
-
-#### RequiredStartTiles
-
-You can use the **RequiredStartTiles** tag to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore.
-
->[!NOTE]
->Enabling this Start customization may be disruptive to the user experience.
-
-For Windows 10 Mobile, **RequiredStartTiles** tags can contain the following tags or elements. These are similar to the tiles supported in **start:Group**.
-
-- Tile - Use to pin a Universal Windows app to Start.
-- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile.
-- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID.
-- Folder - Use to pin a folder to the mobile device's Start screen.
-
-Tiles specified within the **RequiredStartTiles** tag have the following behavior:
-
-- The partner-pinned tiles will begin in a new row at the end of the user-restored Start screen.
-- If there’s a duplicate tile between what the user has in their Start screen layout and what the OEM has pinned to the Start screen, only the app or tile shown in the user-restored Start screen layout will be shown and the duplicate tile will be omitted from the pinned partner tiles at the bottom of the Start screen.
-
-The lack of duplication only applies to pinned apps. Pinned Web links may be duplicated.
-
-- If partners have prepinned folders to the Start screen, Windows 10 treats these folders in the same way as appended apps on the Start screen. Duplicate folders will be removed.
-- All partner tiles that are appended to the bottom of the user-restored Start screen will be medium-sized. There will be no gaps in the appended partner Start screen layout. Windows 10 will shift tiles accordingly to prevent gaps.
-
-## Sample LayoutModification.xml
-
-The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 Mobile:
-
-```XML
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Use Windows Provisioning multivariant support
-
-The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see Create a provisioning package with multivariant settings.
-
-The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the OS has a consistent file name to query against.
-
-For example, if you want to ensure that there's a specific layout for a certain mobile operator in a certain country/region, you can:
-1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
-2. Include the file as part of your provisioning package.
-3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file.
-
-The following example shows what the overall customization file might look like with multivariant support for Start:
-
-```XML
-
-
-
- {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}
- My Provisioning Package
- 1.0
- OEM
- 50
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1
- 1
- 1
-
-
- 1
-
-
-
-
-
-
-
-
- c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML
-
- 1
-
-
-
-
-
-
-```
-
-When the condition is met, the provisioning engine takes the XML file and places it in the location that Windows 10 has set and then the Start subsystem reads the file and applies the specific customized layout.
-
-You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has it's own localized group or folder titles.
-
-## Add the LayoutModification.xml file to the image
-
-Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 Mobile, you can use Windows ICD to add the XML file to the device:
-
-1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting.
-2. In the middle pane, click **Browse** to open File Explorer.
-3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
-4. Select the file and then click **Open**.
-
-This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-- [Manage Windows 10 Start layout options](../windows-10-start-layout-options-and-policies.md)
-- [Configure Windows 10 taskbar](../configure-windows-10-taskbar.md)
-- [Customize Windows 10 Start and taskbar with Group Policy](../customize-windows-10-start-screens-by-using-group-policy.md)
-- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start with mobile device management (MDM)](../customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Group Policy settings for Windows 10 Start](../changes-to-start-policies-in-windows-10.md)
-- [Start layout XML for desktop editions of Windows 10 (reference)](../start-layout-xml-desktop.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 38d6791423..05bf795440 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -1,8 +1,8 @@
---
-title: Configuration service providers for IT pros (Windows 10)
+title: Configuration service providers for IT pros (Windows 10/11)
description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
@@ -11,34 +11,28 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
---
# Configuration service providers for IT pros
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows 11
-This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows 10 and Windows 10 Mobile in their organizations. CSPs expose device configuration settings in Windows 10. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference).
-
-> [!NOTE]
-> The information provided here about CSPs and CSP documentation also applies to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
-
- [See what's new for CSPs in Windows 10, version 1809.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809)
+This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference).
## What is a CSP?
In the client operating system, a CSP is the interface between configuration settings that are specified in a provisioning document and configuration settings that are on the device. CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only.
-Starting with Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. On the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
+On the Windows client platform, the management approach for desktop uses CSPs to configure and manage all devices running Windows client.
Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile.
-CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
+CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
-
+:::image type="content" source="../images/policytocsp.png" alt-text="How intune maps to CSP":::
CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
@@ -48,7 +42,7 @@ The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based
### The WMI-to-CSP Bridge
-The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
+The WMI-to-CSP Bridge is a component allowing configuration of Windows client CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
[Learn how to use the WMI Bridge Provider with PowerShell.](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider)
@@ -56,9 +50,7 @@ The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs u
Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices.
-In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
-
-Some of the articles in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). In the CSP topics, you can learn about all of the available configuration settings.
+In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings.
### CSPs in Windows Configuration Designer
@@ -66,9 +58,9 @@ You can use Windows Configuration Designer to create [provisioning packages](./p
Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
-
+:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in icd.":::
-[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
+[Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
### CSPs in MDM
@@ -78,15 +70,13 @@ When a CSP is available but is not explicitly included in your MDM solution, you
### CSPs in Lockdown XML
-Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](../mobile-devices/lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML.
-
## How do you use the CSP documentation?
-All CSPs in Windows 10 are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
+All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
-The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
+The [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows, and links to the documentation for each individual CSP.
-
+:::image type="content" source="../images/csptable.png" alt-text="The CSP reference shows the supported Windows editions":::
The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
@@ -94,7 +84,7 @@ The full path to a specific configuration setting is represented by its Open Mob
The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
-
+:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access csp tree.":::
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
@@ -104,7 +94,7 @@ The element in the tree diagram after the root node tells you the name of the CS
When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
-
+:::image type="content" source="../images/csp-placeholder.png" alt-text="The placeholder in the CSP tree":::
After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
@@ -114,26 +104,11 @@ The documentation for most CSPs will also include an XML example.
## CSP examples
-CSPs provide access to a number of settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful.
+CSPs provide access to many settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful.
-- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp)
-
- The EnterpriseAssignedAccess CSP lets IT administrators configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
-
- In addition to lock screen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml that can be used to lock down the device through the following settings:
-
- - Enabling or disabling the Action Center.
- - Configuring the number of tile columns in the Start layout.
- - Restricting the apps that will be available on the device.
- - Restricting the settings that the user can access.
- - Restricting the hardware buttons that will be operable.
- - Restricting access to the context menu.
- - Enabling or disabling tile manipulation.
- - Creating role-specific configurations.
-
- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
- The Policy CSP enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
+ The Policy CSP enables the enterprise to configure policies on Windows client. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
Some of the settings available in the Policy CSP include the following:
@@ -153,7 +128,7 @@ CSPs provide access to a number of settings useful to enterprises. This section
- **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
- **WiFi**, such as whether Internet sharing is enabled.
-Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both:
+Here is a list of CSPs supported on Windows 10 Enterprise:
- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp)
- [Application CSP](/windows/client-management/mdm/application-csp)
@@ -211,4 +186,4 @@ Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Ent
- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
- [Wi-Fi CSP](/documentation/)
- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
-- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)
\ No newline at end of file
+- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index a67b88d02f..49a51ea3c2 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -1,8 +1,8 @@
---
-title: Provision PCs with common settings (Windows 10)
+title: Provision PCs with common settings (Windows 10/11)
description: Create a provisioning package to apply common settings to a PC running Windows 10.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
@@ -12,7 +12,6 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
---
# Provision PCs with common settings for initial deployment (desktop wizard)
@@ -20,16 +19,17 @@ ms.date: 07/27/2017
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
-This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
+This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home.
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
## Advantages
- You can configure new devices without reimaging.
-- Works on both mobile and desktop devices.
+- Works on desktop devices.
- No network connectivity required.
@@ -51,14 +51,14 @@ The desktop wizard helps you configure the following settings in a provisioning
- Add applications and certificates
>[!WARNING]
->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
> [!TIP]
> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
>
->
+> :::image type="content" source="../images/icd-simple-edit.png" alt-text="In the desktop wizard, open the advanced editor.":::
## Create the provisioning package
@@ -68,26 +68,76 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
2. Click **Provision desktop devices**.
- 
+ :::image type="content" source="../images/icd-create-options-1703.png" alt-text="In Windows Configuration Designer, see the ICD start options.":::
3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
- 
+ :::image type="content" source="../images/icd-desktop-1703.png" alt-text="In Windows Configuration Designer, select Finish, and see the ICD desktop provisioning.":::
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
## Configure settings
+1. Enable device setup:
-
-
Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Yes or No to Configure devices for shared use. This setting optimizes Windows 10 for shared use scenarios. Learn more about shared PC configuration.You can also select to remove pre-installed software from the device.
-
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
-
Enable account management if you want to configure settings on this page. You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
-
You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps.
-
To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
-
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
-
+ :::image type="content" source="../images/set-up-device-details-desktop.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software.":::
+
+ If you want to enable device setup, select **Set up device**, and configure the following settings:
+
+ - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`.
+ - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades).
+ - **Configure devices for shared use**: Select **Yes** or **No** to optimize the Windows client for shared use scenarios.
+ - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
+
+2. Set up the network:
+
+ :::image type="content" source="../images/set-up-network-details-desktop.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
+
+ If you want to enable network setup, select **Set up network**, and configure the following settings:
+
+ - **Set up network**: To enable wireless connectivity, select **On**.
+ - **Network SSID**: Enter the Service Set IDentifier (SSID) of the network.
+ - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
+
+3. Enable account management:
+
+ :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+
+ If you want to enable account management, select **Account Management**, and configure the following settings:
+
+ - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
+ - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
+ - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+
+ If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+
+ You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+
+ - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
+
+4. Add applications:
+
+ :::image type="content" source="../images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application.":::
+
+ To add applications to the devices, select **Add applications**. You can install multiple applications, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md).
+
+5. Add certificates:
+
+ :::image type="content" source="../images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
+
+ To add a certificate to the devices, select **Add certificates**, and configure the following settings:
+
+ - **Certificate name**: Enter a name for the certificate.
+ - **Certificate path**: Browse and select the certificate you want to add.
+
+6. Finish:
+
+ :::image type="content" source="../images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::
+
+ To complete the wizard, select **Finish**, and configure the following setting:
+
+ - **Protect your package**: Select **Yes** or **No** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password.
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
@@ -98,20 +148,16 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-## Related topics
+## Related articles
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
-- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
-- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index 68cfcc37af..cc911deee6 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -194,8 +194,6 @@ For details about the settings you can customize in provisioning packages, see [
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
-- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index f6f7f9876b..976d93c4b8 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,5 +1,5 @@
---
-title: Provision PCs with apps (Windows 10)
+title: Provision PCs with apps (Windows 10/11)
description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
@@ -9,8 +9,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -20,9 +19,10 @@ manager: dansimp
**Applies to**
- Windows 10
+- Windows 11
-In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
+You can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This article explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
@@ -33,7 +33,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app.
-- **Package family name**: Specify the package family name if you don’t specify a license. This field will be auto-populated after you specify a license.
+- **Package family name**: Specify the package family name if you don’t specify a license. This field will be autopopulated after you specify a license.
- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app
@@ -44,25 +44,25 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
> [!NOTE]
> You can find more information about command-line options for Msiexec.exe [here](/windows/win32/msi/command-line-options).
-- **Command line arguments**: Optionally, append additional command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE
+- **Command line arguments**: Optionally, append more command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE
-- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install
+- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install
-- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app
+- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app
-- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
+- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
### Exe or other installer
-- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append additional flags
+- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append more flags
- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited.
-- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install
+- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install
-- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app
+- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app
-- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
+- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
@@ -72,7 +72,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**.
-2. Enter a name for the first app, and then click **Add**.
+2. Enter a name for the first app, and then select **Add**.
@@ -90,9 +90,9 @@ Universal apps that you can distribute in the provisioning package can be line-o
-3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+3. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
+4. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
@@ -102,11 +102,11 @@ Universal apps that you can distribute in the provisioning package can be line-o
- - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
+ - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and select **Add**.
-6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
+6. In the **Available customizations** pane, select the **LicenseProductId** that you just added.
-7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file.
+7. For **LicenseInstall**, select **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file.
[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
@@ -119,7 +119,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
-2. Enter a **CertificateName** and then click **Add**.
+2. Enter a **CertificateName** and then select **Add**.
2. Enter the **CertificatePassword**.
@@ -136,12 +136,13 @@ For details about the settings you can customize in provisioning packages, see [
## Build your package
-1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+1. When you are done configuring the provisioning package, on the **File** menu, select **Save**.
-2. Read the warning that project files may contain sensitive information, and click **OK**.
- > **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+2. Read the warning that project files may contain sensitive information, and select **OK**.
-3. On the **Export** menu, click **Provisioning package**.
+ When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location, and delete the project files when they're no longer needed.
+
+3. On the **Export** menu, select **Provisioning package**.
4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
@@ -154,25 +155,25 @@ For details about the settings you can customize in provisioning packages, see [
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select...** and choosing the certificate you want to use to sign the package.
- **Important**
- We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+ > [!TIP]
+ > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store. Any package signed with that certificate can be applied silently.
-7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
- Optionally, you can click **Browse** to change the default output location.
+7. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+ Optionally, you can select **Browse** to change the default output location.
-8. Click **Next**.
+8. Select **Next**.
-9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
- If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+9. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+ If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+ - If you are done, select **Finish** to close the wizard and go back to the **Customizations Page**.
11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
@@ -184,33 +185,23 @@ For details about the settings you can customize in provisioning packages, see [
- Email
- - USB tether (mobile only)
-
- - NFC (mobile only)
-
-
-
**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
## Learn more
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-## Related topics
+## Related articles
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
-- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
-- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 4a9381ab1c..44ef49c0ab 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -1,5 +1,5 @@
---
-title: Apply a provisioning package (Windows 10)
+title: Apply a provisioning package (Windows 10/11)
description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime").
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,8 +8,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 08/22/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -19,19 +18,16 @@ manager: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+Provisioning packages can be applied to client devices during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
>[!NOTE]
->Applying a provisioning package to a desktop device requires administrator privileges on the device.
+>
+> - Applying a provisioning package to a desktop device requires administrator privileges on the device.
+> - You can interrupt a long-running provisioning process by pressing ESC.
-## Desktop editions
-
->[!NOTE]
->In Windows 10, version 1709, you can interrupt a long-running provisioning process by pressing ESC.
-
-### During initial setup, from a USB drive
+## During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
@@ -41,66 +37,33 @@ Provisioning packages can be applied to a device during the first-run experience
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and select **Next**.
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+4. Select the provisioning package (`.ppkg`) that you want to apply, and select **Next**.
5. Select **Yes, add it**.
-
-
-### After setup, from a USB drive, network folder, or SharePoint site
+## After setup, from a USB drive, network folder, or SharePoint site
Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
-
-## Mobile editions
-### Using removable media
+## Related articles
-1. Insert an SD card containing the provisioning package into the device.
-2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
-
- 
-
-3. Click **Add**.
-
-4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
-
- 
-
-### Copying the provisioning package to the device
-
-1. Connect the device to your PC through USB.
-
-2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
-
-3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
-
- 
-
-
-
-
-
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index d4debef680..308f6bad92 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -1,6 +1,6 @@
---
-title: Windows Configuration Designer command-line interface (Windows 10)
-description:
+title: Windows Configuration Designer command-line interface (Windows 10/11)
+description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,8 +8,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -19,11 +18,11 @@ manager: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages.
-- IT pros can use the Windows Configuration Designer CLI to require less re-tooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges.
+- IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges.
- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create a provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
@@ -31,7 +30,7 @@ You can use the Windows Configuration Designer command-line interface (CLI) to a
## Syntax
-```
+``` cmd
icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath:
[/StoreFile:] [/MSPackageRoot:] [/OEMInputXML:]
[/ProductName:] [/Variables::] [[+|-]Encrypted] [[+|-]Overwrite] [/?]
@@ -45,28 +44,20 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath:
| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. |
| /StoreFile | NoSee Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
| /Variables | No | Specifies a semicolon separated `` and `` macro pair. The format for the argument must be `=`. |
-| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer auto-generates the decryption password and includes this information in the output.Precede with + for encryption or - for no encryption. The default is no encryption. |
+| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output.Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. |
| Overwrite | No | Denotes whether to overwrite an existing provisioning package.Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
+## Related articles
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 0aa10c16b5..5086aae14b 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -1,6 +1,6 @@
---
-title: Create a provisioning package (Windows 10)
-description: Learn how to create a provisioning package for Windows 10, which lets you quickly configure a device without having to install a new image.
+title: Create a provisioning package (Windows 10/11)
+description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,20 +8,19 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
-# Create a provisioning package for Windows 10
+# Create a provisioning package
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-You can use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings, and then apply the provisioning package to a device running Windows 10 or Windows 10 Mobile.
+You can use Windows Configuration Designer to create a provisioning package (`.ppkg`) that contains customization settings, and then apply the provisioning package to a device running Windows client.
>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
@@ -30,26 +29,20 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
## Start a new project
-1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut.
-
- or
-
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then select **ICD.exe**.
+1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut.
2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
- - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices:
+ - The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices:
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
- [Instructions for HoloLens wizard](/hololens/hololens-provisioning)
- [Instructions for Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub)
-
- Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards).
+
+ Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards).
- The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.)
@@ -63,47 +56,55 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options.
- | Windows edition | Settings available for customization | Provisioning package can apply to |
- |-----------------------------------|-----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
- | All Windows editions | Common settings | All Windows 10 devices |
- | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows 10 desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) |
- | All Windows mobile editions | Common settings and settings specific to mobile devices | All Windows 10 Mobile devices |
- | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices |
- | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](/hololens/hololens-provisioning) |
- | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](/surface-hub/provisioning-packages-for-surface-hub) |
+ | Windows edition | Settings available for customization | Provisioning package can apply to |
+ |---|---|---|
+ | All Windows editions | Common settings | All Windows client devices |
+ | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows client desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) |
+ | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices |
+ | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](/hololens/hololens-provisioning) |
+ | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](/surface-hub/provisioning-packages-for-surface-hub) |
5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**.
->[!TIP]
->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages that you create so you don't have to reconfigure those common settings repeatedly.
+ >[!TIP]
+ >**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that includes the settings for your organization's network. Then, import that package into other packages that you create so you don't have to reconfigure those common settings repeatedly.
6. In the **Available customizations** pane, you can now configure settings for the package.
-
-
-
## Configure settings
For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
-The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md).
+The settings in Windows Configuration Designer are based on Windows client configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md).
The process for configuring settings is similar for all settings. The following table shows an example.
-
-
Expand a category.
-
Select a setting.
-
Enter a value for the setting. Select Add if the button is displayed.
-
Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed.
-
When the setting is configured, it is displayed in the Selected customizations pane.
-
+1. Expand a category:
-For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
+ :::image type="content" source="../images/icd-step1.png" alt-text="In Windows Configuration Designer, expand the Certificates category.":::
-
+2. Select a setting:
+
+ :::image type="content" source="../images/icd-step2.png" alt-text="In Windows Configuration Designer, select ClientCertificates.":::
+
+3. Enter a value for the setting. Select **Add** if the button is displayed:
+
+ :::image type="content" source="../images/icd-step3.png" alt-text="In Windows Configuration Designer, enter a name for the certificate.":::
+
+4. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed:
+
+ :::image type="content" source="../images/icd-step4.png" alt-text="In Windows Configuration Designer, additional settings for client certificate are available.":::
+
+5. When the setting is configured, it is displayed in the **Selected customizations** pane:
+
+ :::image type="content" source="../images/icd-step5.png" alt-text="In Windows Configuration Designer, the selected customizations pane shows your settings.":::
+
+For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference article for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
+
+
## Build package
@@ -120,7 +121,7 @@ For details on each specific setting, see [Windows Provisioning settings referen
3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional:
- - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen.
+ - **Encrypt package** - If you select this option, an autogenerated password will be shown on the screen.
- **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package.
>[!NOTE]
@@ -148,19 +149,17 @@ For details on each specific setting, see [Windows Provisioning settings referen
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
-## Related topics
+## Related articles
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index 71b38c30f7..3d1a473ae6 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -1,6 +1,6 @@
---
-title: How provisioning works in Windows
-description: A provisioning package (.ppkg) is a container for a collection of configuration settings.
+title: How provisioning works in Windows 10/11
+description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,8 +8,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 09/03/2021
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -21,11 +20,11 @@ manager: dansimp
- Windows 10
- Windows 11
-Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 and 11 devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from Microsoft Store.
+Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from Microsoft Store.
## Provisioning packages
-A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or simply downloaded to the device.
+A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or downloaded to the device.
To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source.
@@ -69,7 +68,7 @@ When the provisioning engine selects a configuration, the Windows provisioning X
## Provisioning engine
-The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10 or 11.
+The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10/11.
The provisioning engine provides the following functionality:
@@ -82,7 +81,7 @@ The provisioning engine provides the following functionality:
## Configuration manager
-The configuration manager provides the unified way of managing Windows 10 and 11 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings.
+The configuration manager provides the unified way of managing Windows 10/11 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings.
The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied.
@@ -110,14 +109,6 @@ When a trigger occurs, provisioning is initiated for a particular provisioning s
- **Update**: Runs after an update to apply potential updated settings changes.
- **User**: runs during a user account first run to configure per-user settings.
-
-
-
-
-
-
-
-
## Device provisioning during OOBE
The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect.
@@ -129,8 +120,8 @@ The following table shows how device provisioning can be initiated when a user f
| Package delivery | Initiation method | Supported device |
| --- | --- | --- |
-| Removable media - USB drive or SD card (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices |
-| From an administrator device through machine-to-machine NFC or NFC tag(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows IoT Core devices |
+| Removable media - USB drive or SD card (Packages must be placed at media root) | Five fast taps on the Windows key to launch the provisioning UI |All Windows devices |
+| From an administrator device through machine-to-machine NFC or NFC tag(The administrator device must run an app that can transfer the package over NFC) | Five fast taps on the Windows key to launch the provisioning UI | Windows IoT Core devices |
The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device.
@@ -143,8 +134,8 @@ At device runtime, stand-alone provisioning packages can be applied by user init
| Package delivery | Initiation method | Supported device |
| --- | --- | --- |
| Removable media - USB drive or SD card(Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices |
-| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows 10 for desktop editions devices |
-| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows IoT Core devices |
+| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows client for desktop editions devices |
+| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows IoT Core devices |
When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device.
@@ -157,25 +148,16 @@ After a stand-alone provisioning package is applied to the device, the package i
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
+## Related articles
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
-
-
-
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 1a467d4e6d..2185e1123a 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -1,6 +1,6 @@
---
-title: Install Windows Configuration Designer (Windows 10)
-description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10.
+title: Install Windows Configuration Designer (Windows 10/11)
+description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,30 +8,35 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 10/16/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
-# Install Windows Configuration Designer
+# Install Windows Configuration Designer, and learn about any limitations
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows 11
-Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows 10. Windows Configuration Designer is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
+Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
## Supported platforms
-Windows Configuration Designer can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core, as well as Microsoft Surface Hub and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems:
+Windows Configuration Designer can create provisioning packages for Windows client desktop, including Windows IoT Core, Microsoft Surface Hub, and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems:
+**Client OS**:
+
+- Windows 11
- Windows 10 - x86 and amd64
- Windows 8.1 Update - x86 and amd64
- Windows 8.1 - x86 and amd64
- Windows 8 - x86 and amd64
- Windows 7 - x86 and amd64
+
+**Server OS**:
+
- Windows Server 2016
- Windows Server 2012 R2 Update
- Windows Server 2012 R2
@@ -39,54 +44,38 @@ Windows Configuration Designer can create provisioning packages for Windows 10 d
- Windows Server 2008 R2
>[!WARNING]
->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
## Install Windows Configuration Designer
-On devices running Windows 10, you can install [the Windows Configuration Designer app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on other operating systems or in languages other than English, install it from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
-
->[!NOTE]
->If you install Windows Configuration Designer from both the ADK and Microsoft Store, the Store app will not open.
->
->The Windows Configuration Designer App from Microsoft Store currently supports only English. For a localized version of the Windows Configuration Designer, install it from the Windows ADK.
-
-1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511, 1607, or 1703).
-
- >[!NOTE]
- >The rest of this procedure uses Windows ADK for Windows 10, version 1703 as an example.
-
-2. Save **adksetup.exe** and then run it.
-
-3. On the **Specify Location** page, select an installation path and then click **Next**.
- >[!NOTE]
- >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows Configuration Designer, the space requirement is approximately 32 MB.
-4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**.
-
-5. Accept the **License Agreement**, and then click **Next**.
-
-6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
-
- 
+On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store.
## Current Windows Configuration Designer limitations
-- Windows Configuration Designer will not work properly if the Group Policy setting **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** is enabled. We recommend that you run Windows Configuration Designer on a different device, rather than change the security setting.
+- Windows Configuration Designer doesn't work properly if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
- You can only run one instance of Windows Configuration Designer on your computer at a time.
-- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process.
+- When adding apps and drivers, all files stored in the same folder are imported, and may cause errors during the build process.
-- The Windows Configuration Designer UI does not support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
+- The Windows Configuration Designer UI doesn't support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
-- While you can open multiple projects at the same time within Windows Configuration Designer, you can only build one project at a time.
+- In Windows Configuration Designer, you can only build one project at a time. You can open multiple projects at the same time, but you can only build one at a time.
-- In order to enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**.
+- To enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you must enable **Allow websites to prompt for information using scripted windows**:
-- If you copy a Windows Configuration Designer project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC.
+ 1. Open Internet Explorer.
+ 2. Go to **Settings** > **Internet Options** > **Security** > **Custom level**.
+ 3. Select **Allow websites to prompt for information using scripted windows** > **Enable**.
- For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows Configuration Designer. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows Configuration Designer might attempt to resolve the path to the files that point to the original PC.
-
-- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device.
+- If you copy a Windows Configuration Designer project from one PC to another PC, then:
+
+ - Copy all the associated files for the deployment assets with the project, including apps and drivers.
+ - Copy all the files to the same path as the original PC.
+
+ For example, when you add a driver to a provisioned package, you must copy the `.INF` file to a local directory on the PC that's running Windows Configuration Designer. If you don't copy the `.INF` file, and use a copied version of this project on a different PC, then Windows Configuration Designer might resolve the file paths to the original PC.
+
+- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer. Don't use external sources, like network shares or removable drives. Using local files reduces the risk of interrupting the build process from a network issue, or from disconnecting the USB device.
**Next step**: [How to create a provisioning package](provisioning-create-package.md)
@@ -94,27 +83,15 @@ On devices running Windows 10, you can install [the Windows Configuration Design
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+## Related articles
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 6e54b39009..028b44c522 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -1,5 +1,5 @@
---
-title: Create a provisioning package with multivariant settings (Windows 10)
+title: Create a provisioning package with multivariant settings (Windows 10/11)
description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,8 +7,7 @@ ms.sitesec: library
author: greg-lindsay
ms.topic: article
ms.localizationpriority: medium
-ms.date: 11/08/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
ms.author: greglin
---
@@ -19,7 +18,7 @@ ms.author: greglin
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese.
@@ -37,38 +36,43 @@ A **Target** can have more than one **TargetState**, and a **TargetState** can h
-The following table describes the logic for the target definition.
+The following information describes the logic for the target definition:
-
When all Condition elements are TRUE, TargetState is TRUE.
-
If any of the TargetState elements is TRUE, Target is TRUE, and the Id can be used for setting customizations.
+- When all **Condition** elements are TRUE, **TargetState** is TRUE:
+
+ :::image type="content" source="../images/icd-multi-targetstate-true.png" alt-text="Target state is true when all conditions are true.":::
+
+- If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **ID** can be used for setting customizations:
+
+ :::image type="content" source="../images/icd-multi-target-true.png" alt-text="Target is true if any target state is true":::
### Conditions
-The following table shows the conditions supported in Windows 10 provisioning for a **TargetState**:
+The following table shows the conditions supported in Windows client provisioning for a **TargetState**:
-| Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description |
-| --- | --- | --- | --- | --- | --- |
-| MNC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. |
-| MCC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. |
-| SPN | P0 | Supported | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. |
-| PNN | P0 | Supported | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. |
-| GID1 | P0 | Supported | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
-| ICCID | P0 | Supported | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
-| Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). |
-| UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:- 0 - Empty- 1 - Ready- 2 - Locked |
-| UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:- 0 - Slot 0- 1 - Slot 1 |
-| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. |
-| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. |
-| AoAc ("Always On, Always Connected") | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. |
-| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](/windows/win32/api/winnt/ne-winnt-power_platform_role). |
-| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
-| Server | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. |
-| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
-| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). |
+| Condition Name | Condition priority | Windows client for desktop editions | Value type | Value description |
+| --- | --- | --- | --- | --- |
+| MNC | P0 | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. |
+| MCC | P0 | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. |
+| SPN | P0 | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. |
+| PNN | P0 | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. |
+| GID1 | P0 | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
+| ICCID | P0 | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
+| Roaming | P0 | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). |
+| UICC | P0 | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:- 0 - Empty- 1 - Ready- 2 - Locked |
+| UICCSLOT | P0 | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:- 0 - Slot 0- 1 - Slot 1 |
+| ProcessorType | P1 | Supported | String | Use to target settings based on the processor type. |
+| ProcessorName | P1 | Supported | String | Use to target settings based on the processor name. |
+| AoAc ("Always On, Always Connected") | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. |
+| PowerPlatformRole | P1 | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](/windows/win32/api/winnt/ne-winnt-power_platform_role). |
+| Architecture | P1 | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
+| Server | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. |
+| Region | P1 | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
+| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). |
-The matching types supported in Windows 10 are:
+The matching types supported in Windows client are:
| Matching type | Syntax | Example |
| --- | --- | --- |
@@ -79,7 +83,7 @@ The matching types supported in Windows 10 are:
### TargetState priorities
-You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**.
+You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evaluates each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**.
A setting that matches a **TargetState** with a lower priority is applied before the setting that matches a **TargetState** with a higher priority. This means that a setting for the **TargetState** with the higher priority can overwrite a setting for the **TargetState** with the lower priority.
@@ -281,38 +285,29 @@ In this example, the **StoreFile** corresponds to the location of the settings s
## Events that trigger provisioning
-When you install the multivariant provisioning package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
+When you install the multivariant provisioning package on a Windows client device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
-The following events trigger provisioning on Windows 10 devices:
+The following events trigger provisioning on Windows client devices:
-| Event | Windows 10 Mobile | Windows 10 for desktop editions |
-| --- | --- | --- |
-| System boot | Supported | Supported |
-| Operating system update | Supported | Planned |
-| Package installation during device first run experience | Supported | Supported |
-| Detection of SIM presence or update | Supported | Supported |
-| Package installation at runtime | Supported | Supported |
-| Roaming detected | Supported | Not supported |
+| Event | Windows client for desktop editions |
+| --- | --- |
+| System boot | Supported |
+| Operating system update | Planned |
+| Package installation during device first run experience | Supported |
+| Detection of SIM presence or update | Supported |
+| Package installation at runtime | Supported |
+| Roaming detected | Not supported |
+## Related articles
-
-
-
-
-
-
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index e788dfc0a5..0a4cc16ed5 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -1,8 +1,8 @@
---
-title: Provisioning packages (Windows)
-description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+title: Provisioning packages overview on Windows 10/11
+description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -11,7 +11,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 09/07/2021
+
---
# Provisioning packages for Windows
@@ -24,9 +24,9 @@ ms.date: 09/07/2021
Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
-A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10 and 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows client, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
+Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
@@ -43,7 +43,6 @@ Windows Configuration Designer is available as an [app in the Microsoft Store](h
-
## Benefits of provisioning packages
@@ -75,17 +74,18 @@ Provisioning packages can be:
The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages.
+| Step | Description | Desktop wizard | Kiosk wizard | HoloLens wizard |
+| --- | --- | --- | --- | --- |
+| Set up device | Assign device name, enter product key to upgrade Windows, configure shared used, remove pre-installed software | ✔️ | ✔️ | ✔️ |
+| Set up network | Connect to a Wi-Fi network | ✔️ | ✔️ | ✔️ |
+| Account management | Enroll device in Active Directory, enroll device in Azure Active Directory, or create a local administrator account | ✔️ | ✔️ | ✔️ |
+| Bulk Enrollment in Azure AD | Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). | ❌ | ❌ | ❌ |
+| Add applications | Install applications using the provisioning package. | ✔️ | ✔️ | ❌ |
+| Add certificates | Include a certificate file in the provisioning package. | ✔️ | ✔️ | ✔️ |
+| Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✔️ | ❌ |
+| Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✔️ | ❌ |
+| Developer Setup | Enable Developer Mode | ❌ | ❌ | ✔️ |
-
Enroll device in Active Directory,enroll device in Azure Active Directory,or create a local administrator account
-
Bulk Enrollment in Azure AD
Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization.
-
Add applications
Install applications using the provisioning package.
-
Add certificates
Include a certificate file in the provisioning package.
-
Configure kiosk account and app
Create local account to run the kiosk mode app,specify the app to run in kiosk mode
-
Configure kiosk common settings
Set tablet mode,configure welcome and shutdown screens,turn off timeout settings
-
Developer Setup
Enable Developer Mode.
@@ -99,7 +99,6 @@ The following table describes settings that you can configure using the wizards
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
-- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard)
@@ -112,20 +111,17 @@ The following table describes settings that you can configure using the wizards
The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages.
-| Customization options | Examples |
-|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
+| Customization options | Examples |
+|---|---|
| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
-| Applications | Windows apps, line-of-business applications |
-| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* |
-| Certificates | Root certification authority (CA), client certificates |
-| Connectivity profiles | Wi-Fi, proxy settings, Email |
-| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
-| Data assets | Documents, music, videos, pictures |
-| Start menu customization | Start menu layout, application pinning |
-| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
-
-\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager is not supported. Use the Configuration Manager console to enroll devices.
-
+| Applications | Windows apps, line-of-business applications |
+| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service
Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager isn't supported. To enroll devices, use the Configuration Manager console. |
+| Certificates | Root certification authority (CA), client certificates |
+| Connectivity profiles | Wi-Fi, proxy settings, Email |
+| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
+| Data assets | Documents, music, videos, pictures |
+| Start menu customization | Start menu layout, application pinning |
+| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
@@ -136,7 +132,7 @@ For details about the settings you can customize in provisioning packages, see [
WCD, simplified common provisioning scenarios.
-
+:::image type="content" source="../images/icd.png" alt-text="Configuration Designer options":::
WCD supports the following scenarios for IT administrators:
@@ -146,34 +142,31 @@ WCD supports the following scenarios for IT administrators:
* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices.
-* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use WCD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
+* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end users in the organization. IT administrators can use WCD to specify the management endpoint and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
- * Microsoft Intune (certificate-based enrollment)
- * AirWatch (password-string based enrollment)
- * Mobile Iron (password-string based enrollment)
- * Other MDMs (cert-based enrollment)
+ - Microsoft Intune (certificate-based enrollment)
+ - AirWatch (password-string based enrollment)
+ - MobileIron (password-string based enrollment)
+ - Other MDMs (cert-based enrollment)
## Learn more
-For more information about provisioning, watch the following videos:
+For more information about provisioning, watch the following video:
-- [Provisioning Windows 10 devices with new tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+- [Provisioning Windows client devices with new tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+## Related articles
-## Related topics
-
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](../mobile-devices/provisioning-configure-mobile.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index 4ed15d47fc..50e9c56a1e 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -1,6 +1,6 @@
---
-title: PowerShell cmdlets for provisioning Windows 10 (Windows 10)
-description:
+title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11)
+description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,32 +8,68 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
-# PowerShell cmdlets for provisioning Windows 10 (reference)
+# PowerShell cmdlets for provisioning Windows client (reference)
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions.
+Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions.
+## cmdlets
+- **Add-ProvisioningPackage**: Applies a provisioning package.
-
Adds a certificate to the Trusted Certificate store
Install-TrustedProvisioningCertificate <path to local certificate file on disk>
-
Get-TrustedProvisioningCertificate
List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the Uninstall-TrustedProvisioningCertificate cmdlet
Get-TrustedProvisioningCertificate
-
Uninstall-TrustedProvisioningCertificate
Remove a previously installed provisioning certificate
+ Syntax:
+
+ - `Add-ProvisioningPackage [-Path] [-ForceInstall] [-LogsFolder ] [-QuietInstall] [-WprpFile ] []`
+
+- **Remove-ProvisioningPackage**: Removes a provisioning package.
+
+ Syntax:
+
+ - `Remove-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []`
+ - `Remove-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []`
+ - `Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []`
+
+- **Get-ProvisioningPackage**: Gets information about an installed provisioning package.
+
+ Syntax:
+
+ - `Get-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []`
+ - `Get-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []`
+ - `Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []`
+
+- **Export-ProvisioningPackage**: Extracts the contents of a provisioning package.
+
+ Syntax:
+
+ - `Export-ProvisioningPackage -PackageId -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []`
+ - `Export-ProvisioningPackage -Path -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []`
+
+- **Install-TrustedProvisioningCertificate**: Adds a certificate to the Trusted Certificate store.
+
+ Syntax:
+
+ - `Install-TrustedProvisioningCertificate `
+
+- **Get-TrustedProvisioningCertificate**: Lists all installed trusted provisioning certificates. Use this cmdlet to get the certificate thumbprint to use with the `Uninstall-TrustedProvisioningCertificate` cmdlet.
+
+ Syntax:
+
+ - `Get-TrustedProvisioningCertificate`
+
+- **Uninstall-TrustedProvisioningCertificate**: Removes a previously installed provisioning certificate.
+
+ Syntax:
+
+ - `Uninstall-TrustedProvisioningCertificate `
>[!NOTE]
> You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage`
@@ -51,9 +87,9 @@ Trace logs are captured when using cmdlets. The following logs are available in
>When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts.
-## Related topics
+## Related articles
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
@@ -63,15 +99,3 @@ Trace logs are captured when using cmdlets. The following logs are available in
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index 6e01640c44..1fc466b83d 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -1,6 +1,6 @@
---
-title: Use a script to install a desktop app in provisioning packages (Windows 10)
-description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+title: Use a script to install a desktop app in provisioning packages (Windows 10/11)
+description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,8 +8,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -19,14 +18,9 @@ manager: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see [Remarks](#remarks) below).
-
->**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher
-
->[!NOTE]
->This scenario is only supported for installing applications on Windows 10 for desktop, version 1511 or higher.
+This walkthrough describes how to include scripts in a Windows client provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed. However, some care is needed to avoid unintended behavior during script execution (see [Remarks](#remarks) below).
## Assemble the application assets
@@ -34,12 +28,11 @@ This walkthrough describes how to leverage the ability to include scripts in a W
2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
-
## Cab the application assets
-1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory.
+1. Create a `.DDF` file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory.
- ```
+ ```ddf
;*** MSDN Sample Source Code MakeCAB Directive file example
;
@@ -89,15 +82,15 @@ This walkthrough describes how to leverage the ability to include scripts in a W
2. Use makecab to create the cab files.
- ```
+ ```makecab
Makecab -f
```
## Create the script to install the application
-In Windows 10, version 1607 and earlier, create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
+Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
-In Windows 10, version 1703, you don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package).
+You don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package).
>[!NOTE]
>All actions performed by the script must happen silently, showing no UI and requiring no user interaction.
@@ -108,15 +101,16 @@ In Windows 10, version 1703, you don’t need to create an orchestrator script.
Granular logging is not built in, so the logging must be built into the script itself. Here is an example script that logs ‘Hello World’ to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you will see in the following examples, it’s recommended that you log each action that your script performs.
-```
+```log
set LOGFILE=%SystemDrive%\HelloWorld.log
echo Hello, World >> %LOGFILE%
```
+
### .exe example
-This example script shows how to create a log output file on the system drive, install an app from a .exe installer, and echo the results to the log file.
+This example script shows how to create a log output file on the system drive, install an app from an `.exe` installer, and echo the results to the log file.
-```
+```exe
set LOGFILE=%SystemDrive%\Fiddler_install.log
echo Installing Fiddler.exe >> %LOGFILE%
fiddler4setup.exe /S >> %LOGFILE%
@@ -127,7 +121,7 @@ echo result: %ERRORLEVEL% >> %LOGFILE%
This is the same as the previous installer, but installs the app from an MSI installer. Notice that msiexec is called with the /quiet flag in order to meet the silent requirement of scripts run from within a provisioning package.
-```
+```msi
set LOGFILE=%SystemDrive%\IPOverUsb_install.log
echo Installing IpOverUsbInstaller.msi >> %LOGFILE%
msiexec /i IpOverUsbInstaller.msi /quiet >> %LOGFILE%
@@ -136,9 +130,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE%
### PowerShell example
-This is an example script with logging that shows how to run a powershell script from the provisioning commands setting. Note that the PowerShell script referenced from this example must also be included in the package, and obey the same requirements as all scripts run from within the provisioning package: it must execute silently, with no user interaction.
+This is an example script with logging that shows how to run a PowerShell script from the provisioning commands setting. The PowerShell script referenced from this example must also be included in the package, and obey the same requirements as all scripts run from within the provisioning package: it must execute silently, with no user interaction.
-```
+```powershell
set LOGFILE=%SystemDrive%\my_powershell_script.log
echo Running my_powershell_script.ps1 in system context >> %LOGFILE%
echo Executing "PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1" >> %LOGFILE%
@@ -147,11 +141,12 @@ echo result: %ERRORLEVEL% >> %LOGFILE%
```
+
### Extract from a .CAB example
-This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe
+This example script shows expansion of a .cab from the provisioning commands script, and installation of the expanded setup.exe
-```
+```cab
set LOGFILE=%SystemDrive%\install_my_app.log
echo Expanding installer_assets.cab >> %LOGFILE%
expand -r installer_assets.cab -F:* . >> %LOGFILE%
@@ -163,9 +158,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE%
### Calling multiple scripts in the package
-In Windows 10, version 1703, your provisioning package can include multiple CommandLines.
+Your provisioning package can include multiple CommandLines.
-In Windows 10, version 1607 and earlier, you are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package.
+You are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package.
Here’s a table describing this relationship, using the PowerShell example from above:
@@ -174,16 +169,15 @@ Here’s a table describing this relationship, using the PowerShell example from
| --- | --- | --- |
| ProvisioningCommands/DeviceContext/CommandLine | cmd /c PowerShell_Example.bat | The command line needed to invoke the orchestrator script. |
| ProvisioningCommands/DeviceContext/CommandFiles | PowerShell_Example.bat | The single orchestrator script referenced by the command line that handles calling into the required installers or performing any other actions such as expanding cab files. This script must do the required logging. |
-| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. |
+| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example, there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. |
-
-### Add script to provisioning package (Windows 10, version 1607)
-
-When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer.
+### Add script to provisioning package
-Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to:
+When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Windows Configuration Designer.
-```
+Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to:
+
+```bat
cmd /c InstallMyApp.bat
```
@@ -201,20 +195,21 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
### Remarks
+
1. No user interaction or console output is supported via ProvisioningCommands. All work needs to be silent. If your script attempts to do any of the following it will cause undefined behavior, and could put the device in an unrecoverable state if executed during setup or the Out of Box Experience:
a. Echo to console
b. Display anything on the screen
c. Prompt the user with a dialog or install wizard
2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool.
-3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options).
+3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows client](https://support.microsoft.com/help/12415/windows-10-recovery-options).
4. The CommandFile assets are deployed on the device to a temporary folder unique to each package.
- - For Windows 10, version 1607 and earlier:
- a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
- b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
- - For Windows 10, version 1703:
- a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
+
+ 1. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
+
The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package.
- b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
+
+ 2. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
+
5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script.
6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen.
@@ -223,15 +218,15 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed
-## Related topics
+## Related articles
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index 02e79a47a9..4a25836a61 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -1,6 +1,6 @@
---
-title: Uninstall a provisioning package - reverted settings (Windows 10)
-description: This topic lists the settings that are reverted when you uninstall a provisioning package.
+title: Uninstall a provisioning package - reverted settings (Windows 10/11)
+description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,8 +8,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -19,9 +18,9 @@ manager: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-When you uninstall a provisioning package, only certain settings are revertible. This topic lists the settings that are reverted when you uninstall a provisioning package.
+When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package.
As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**.
@@ -79,19 +78,15 @@ Here is the list of revertible settings based on configuration service providers
-## Related topics
+## Related articles
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
\ No newline at end of file
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index ed5c4ee3a3..f47dd5956d 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -1,6 +1,6 @@
---
-title: Set up a shared or guest PC with Windows 10 (Windows 10)
-description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios.
+title: Set up a shared or guest PC with Windows 10/11
+description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios.
keywords: ["shared pc mode"]
ms.prod: w10
ms.mktglfcycl: manage
@@ -9,30 +9,31 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
---
-# Set up a shared or guest PC with Windows 10
+# Set up a shared or guest PC with Windows 10/11
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
-Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
+Windows client has a *shared PC mode*, which optimizes Windows client for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows client Pro, Pro Education, Education, and Enterprise.
> [!NOTE]
-> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
+> If you're interested in using Windows client for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
## Shared PC mode concepts
-A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.
+A Windows client PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.
### Account models
-It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows 10, version 1703, introduces a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode.
+It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows client has a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode.
### Account management
-When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
+When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows client, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
### Maintenance and sleep
Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not in use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
@@ -73,7 +74,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
| Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) |
-| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
+| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows client configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
| Customization: SetPowerPolicies | When set as **True**: - Prevents users from changing power settings - Turns off hibernate - Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
@@ -83,7 +84,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
You can configure Windows to be in shared PC mode in a couple different ways:
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -112,12 +113,12 @@ You can configure Windows to be in shared PC mode in a couple different ways:
11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
-- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
+- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows client that's already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
-
+
```powershell
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
$sharedPC.EnableSharedPCMode = $True
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
index 80bbd5b7da..d545a5cc63 100644
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@@ -1,8 +1,8 @@
---
-title: Set up digital signs on Windows 10 (Windows 10)
-description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education).
+title: Set up digital signs on Windows 10/11
+description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"]
@@ -11,31 +11,30 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 10/02/2018
+ms.date: 09/20/2021
ms.topic: article
---
-# Set up digital signs on Windows 10
-
+# Set up digital signs on Windows 10/11
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
-For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
+For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content.
>[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
-Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.
+Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+.
>[!NOTE]
>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business).
-
-This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience).
+This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience).
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
@@ -43,24 +42,24 @@ This procedure explains how to configure digital signage using Kiosk Browser on
3. Open Windows Configuration Designer and select **Provision kiosk devices**.
4. Enter a friendly name for the project, and select **Finish**.
5. On **Set up device**, select **Disabled**, and select **Next**.
-6. On **Set up network**, enable network setup.
+6. On **Set up network**, enable network setup:
- Toggle **On** wireless network connectivity.
- Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
7. On **Account management**, select **Disabled**, and select **Next**.
-8. On **Add applications**, select **Add an application**.
+8. On **Add applications**, select **Add an application**:
- For **Application name**, enter `Kiosk Browser`.
- For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed.
- For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business.
- The **Package family name** is populated automatically.
- Select **Next**.
9. On **Add certificates**, select **Next**.
-10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage.
+10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage:
- Enter a user name and password, and toggle **Auto sign-in** to **Yes**.
- Under **Configure the kiosk mode app**, enter the user name for the account that you're creating.
- For **App type**, select **Universal Windows App**.
- In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`.
11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
-12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu.
+12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu:
- In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`.
- In **BlockedUrl**, enter `*`.
- In **DefaultUrl**, enter `https://www.contoso.com/menu`.
@@ -79,16 +78,3 @@ This procedure explains how to configure digital signage using Kiosk Browser on
20. Copy the .ppkg file to a USB drive.
21. Attach the USB drive to the device that you want to use for your digital sign.
22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 49a2494418..64b68fb707 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -1,6 +1,6 @@
---
title: Start layout XML for desktop editions of Windows 10 (Windows 10)
-description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
+description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
keywords: ["start screen"]
ms.prod: w10
ms.mktglfcycl: manage
@@ -28,9 +28,9 @@ On Windows 10 for desktop editions, the customized Start works by:
- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region.
- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints:
- - 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles.
- - 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
- - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
+ - Two groups that are six columns wide, or equivalent to the width of three medium tiles.
+ - Two medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
+ - No limit to the number of apps that can be pinned. There's a theoretical limit of 24 tiles per group (four small tiles per medium square x 3 columns x 2 rows).
>[!NOTE]
>To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
@@ -78,18 +78,18 @@ The following table lists the supported elements and attributes for the LayoutMo
| [RequiredStartGroups](#requiredstartgroups)Parent:RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)Parent:RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
| [start:Tile](#specify-start-tiles)Parent:AppendGroup | AppUserModelIDSizeRowColumn | Use to specify any of the following:- A Universal Windows app- A Windows 8 or Windows 8.1 appNote that AppUserModelID is case-sensitive. |
-start:Folder
Parent: start:Group | Name (in Windows 10, version 1809 and later only) Size Row Column LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile).
-| start:DesktopApplicationTileParent:AppendGroup | DesktopApplicationIDDesktopApplicationLinkPathSizeRowColumn | Use to specify any of the following:- A Windows desktop application with a known AppUserModelID- An application in a known folder with a link in a legacy Start Menu folder- A Windows desktop application link in a legacy Start Menu folder- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
+| start:Folder
Parent: start:Group | Name (in Windows 10, version 1809 and later only) Size Row Column LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). |
+| start:DesktopApplicationTileParent:AppendGroup | DesktopApplicationIDDesktopApplicationLinkPathSizeRowColumn | Use to specify any of the following:- A Windows desktop application with a known AppUserModelID- An application in a known folder with a link in a legacy Start Menu folder- A Windows desktop application link in a legacy Start Menu folder- A Web link tile with an associated `.url` file that is in a legacy Start Menu folder |
| start:SecondaryTileParent:AppendGroup | AppUserModelIDTileIDArgumentsDisplayNameSquare150x150LogoUriShowNameOnSquare150x150LogoShowNameOnWide310x150LogoWide310x150LogoUriBackgroundColorForegroundTextIsSuggestedAppSizeRowColumn | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
-| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
+| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to three default apps to the frequently used apps section in the system area.**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| TileParent:TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID. **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| DesktopApplicationTileParent:TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
-| AppendOfficeSuiteParent:LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).Do not use this tag with AppendDownloadOfficeTile |
+| AppendOfficeSuiteParent:LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).Don't use this tag with AppendDownloadOfficeTile. |
| AppendDownloadOfficeTileParent:LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in StartDo not use this tag with AppendOfficeSuite |
### LayoutOptions
-New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
+New devices running Windows 10 for desktop editions will default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
- Boot to tablet mode can be set on or off.
- Set full screen Start on desktop to on or off.
@@ -97,7 +97,7 @@ New devices running Windows 10 for desktop editions will default to a Start menu
- Specify the number of columns in the Start menu to 1 or 2.
To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2.
-The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu:
+The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use one column in the Start menu:
```XML
[!IMPORTANT]
>For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag.
-You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you are using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example:
+You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example:
```XML
[!NOTE]
>In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in.
@@ -210,7 +210,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
-- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
+- Use the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
You can use the [Get-StartApps cmdlet](/powershell/module/startlayout/get-startapps) on a PC that has the application pinned to Start to obtain the app ID.
@@ -230,7 +230,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.
-To pin a legacy .url shortcut to Start, you must create .url file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this .url file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`.
+To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this `.url` file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`.
The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile:
@@ -248,7 +248,7 @@ The following example shows how to create a tile of the Web site's URL, which yo
#### start:SecondaryTile
-You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag).
+You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy `.url` shortcuts (through the start:DesktopApplicationTile tag).
The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
@@ -444,7 +444,7 @@ The following sample LayoutModification.xml shows how you can configure the Star
The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](./provisioning-packages/provisioning-multivariant.md).
-The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against.
+The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provisioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against.
For example, if you want to ensure that there's a specific layout for a certain condition, you can:
1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
@@ -511,7 +511,7 @@ You must repeat this process for all variants that you want to support so that e
Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device.
-1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting.
+1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** > Select the **StartLayout** setting.
2. In the middle pane, click **Browse** to open File Explorer.
3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
4. Select the file and then click **Open**.
@@ -524,16 +524,6 @@ This should set the value of **StartLayout**. The setting appears in the **Selec
Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start.
-
-
-
-
-
-
-
-
-
-
## Related topics
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
@@ -542,9 +532,5 @@ Once you have created the LayoutModification.xml file and it is present in the d
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-- [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)
-
-
-
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 351f09ce8e..4fd1194b2e 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -1,6 +1,6 @@
---
title: Add image for secondary Microsoft Edge tiles (Windows 10)
-description:
+description: Add app tiles on Windows 10 that's a secondary tile.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,7 +18,6 @@ manager: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
App tiles are the Start screen tiles that represent and launch an app. A tile that allows a user to go to a specific location in an app is a *secondary tile*. Some examples of secondary tiles include:
@@ -43,7 +42,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
**Example of secondary tiles in XML generated by Export-StartLayout**
-```
+```xml
.xml
```
+
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
- Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
-
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet does not append the file name extension, and the policy settings require the extension.
+
3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
- - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images.
-
+ - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images.
+
4. In Windows PowerShell, enter the following command:
- ```
+ ```powershell
Export-StartLayoutEdgeAssets assets.xml
```
@@ -91,22 +91,38 @@ You can apply the customized Start layout with images for secondary tiles by usi
In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
+3. Enter the following properties:
-1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
-2. Select **Device configuration**.
-3. Select **Profiles**.
-4. Select **Create profile**.
-5. Enter a friendly name for the profile.
-6. Select **Windows 10 and later** for the platform.
-7. Select **Device restrictions** for the profile type.
-8. Select **Start**.
-9. In **Start menu layout**, browse to and select your Start layout XML file.
-9. In **Pin websites to tiles in Start menu**, browse to and select your assets XML file.
-10. Select **OK** twice, and then select **Create**.
-11. [Assign the profile to a group](/intune/device-profile-assign).
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile**: Select **Templates** > **Device restrictions**.
->[!NOTE]
->The device restrictions in Microsoft Intune include [other Start settings](/intune/device-restrictions-windows-10#start) that you can also configure in your profile.
+4. Select **Create**.
+5. In **Basics**, enter the following properties:
+
+ - **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later.
+ - **Description**: Enter a description for the policy. This setting is optional, but recommended.
+
+6. Select **Next**.
+
+7. In **Configuration settings**, select **Start**. Configure the following properties:
+
+ - **Start menu layout**: Browse to, and select your Start layout XML file.
+ - **Pin websites to tiles in Start menu**: Browse to, and select your assets XML file.
+
+ There are more Start menu settings you can configure. For more information on these settings, see [Start settings in Intune](/intune/device-restrictions-windows-10#start)
+
+8. Select **Next**.
+9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+
+ Select **Next**.
+
+10. In **Assignments**, select the users or groups that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
+
+ Select **Next**.
+
+11. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
### Using a provisioning package
@@ -199,7 +215,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
26. Double-click the ppkg file and allow it to install.
- ## Related topics
+## Related articles
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
@@ -207,7 +223,6 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 1f02d08053..000617ec7e 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -21,7 +21,6 @@ ms.date: 4/16/2018
**Applies to**
- Windows 10
-- Windows 10 Mobile
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
@@ -36,7 +35,7 @@ You can use these tools to configure access to Microsoft Store: AppLocker or Gro
## Block Microsoft Store using AppLocker
-Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
+Applies to: Windows 10 Enterprise, Windows 10 Education
AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers.
@@ -100,23 +99,9 @@ You can also use Group Policy to manage access to Microsoft Store.
> [!Important]
> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store.
-## Block Microsoft Store on Windows 10 Mobile
-
-
-Applies to: Windows 10 Mobile
-
-If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 CSPs with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Microsoft Store app.
-
-When your MDM tool supports Microsoft Store for Business, the MDM can use these CSPs to block Microsoft Store app:
-
-- [Policy](/windows/client-management/mdm/policy-configuration-service-provider)
-
-- [EnterpriseAssignedAccess](/windows/client-management/mdm/enterpriseassignedaccess-csp) (Windows 10 Mobile, only)
-
-For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-windows-store-for-business).
-
## Show private store only using Group Policy
-Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
+
+Applies to Windows 10 Enterprise, Windows 10 Education
If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md
index d26c7b384d..3c2d63c994 100644
--- a/windows/configuration/supported-csp-start-menu-layout-windows.md
+++ b/windows/configuration/supported-csp-start-menu-layout-windows.md
@@ -10,7 +10,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
-ms.date: 09/13/2021
ms.localizationpriority: medium
---
@@ -57,6 +56,17 @@ For information on customizing the Start menu layout using policy, see [Customiz
## Existing CSP policies that Windows 11 doesn't support
- [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
+
- [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps)
+ - Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu`
+
- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
+ - Group policy:
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu`
+
- [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus)
+ - Group policy:
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu`
diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md
new file mode 100644
index 0000000000..1605544834
--- /dev/null
+++ b/windows/configuration/supported-csp-taskbar-windows.md
@@ -0,0 +1,71 @@
+---
+title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs
+description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar.
+ms.assetid:
+manager: dougeby
+ms.author: mandia
+ms.reviewer: chataylo
+ms.prod: w11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+author: MandiOhlinger
+ms.localizationpriority: medium
+---
+
+# Supported configuration service provider (CSP) policies for Windows 11 taskbar
+
+**Applies to**:
+
+- Windows 11
+
+The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices.
+
+This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start).
+
+For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
+
+## Existing CSP policies that Windows 11 taskbar supports
+
+- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
+ - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
+
+- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
+ - Local setting: None
+
+- [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#experience-configurechaticonvisibilityonthetaskbar)
+ - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat`
+ - Local setting: Settings > Personalization > Taskbar > Chat
+
+## Existing CSP policies that Windows 11 doesn't support
+
+The following list includes some of the CSP policies that aren't supported on Windows 11:
+
+- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
+
+- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
+
+- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
+
+- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
+
+- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
+
+- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
+
+- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
+
+- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
+
+- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`
diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md
index 3ac49ccd7e..8d4bfbfc06 100644
--- a/windows/configuration/wcd/wcd-accountmanagement.md
+++ b/windows/configuration/wcd/wcd-accountmanagement.md
@@ -19,13 +19,13 @@ Use these settings to configure the Account Manager service.
## Applies to
-| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [DeletionPolicy](#deletionpolicy) | | | | X | |
-| [EnableProfileManager](#enableprofilemanager) | | | | X | |
-| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | | X | |
-| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | | X | |
-| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | | X | |
+| Settings | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [DeletionPolicy](#deletionpolicy) | | | ✔️ | |
+| [EnableProfileManager](#enableprofilemanager) | | | ✔️ | |
+| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | ✔️ | |
+| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | ✔️ | |
+| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | ✔️ | |
>[!NOTE]
>Although the AccountManagement settings are available in advanced provisioning for other editions, you should only use them for HoloLens devices.
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 2e172a122e..a6462788e1 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -19,19 +19,18 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Azure](#azure) | X | X | X | X | |
-| [ComputerAccount](#computeraccount) | X | | X | | X |
-| [Users](#users) | X | | X | X | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Azure](#azure) | ✔️ | ✔️ | ✔️ | |
+| [ComputerAccount](#computeraccount) | ✔️ | ✔️ | | ✔️ |
+| [Users](#users) | ✔️ | ✔️ | ✔️ | |
## Azure
-The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure additional provisioning settings. For information about using the wizards, see:
+The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
- [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
-- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
## ComputerAccount
@@ -43,11 +42,11 @@ Specifies the settings you can configure when joining a device to a domain, incl
| Setting | Value | Description |
| --- | --- | --- |
-| Account | string | Account to use to join computer to domain |
+| Account | String | Account to use to join computer to domain |
| AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account |
-| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) |
-| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join |
-| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
+| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, including `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10 version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) |
+| DomainName | String (cannot be empty) | Specify the name of the domain that the device will join |
+| Password | String (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
## Users
@@ -55,7 +54,7 @@ Use these settings to add local user accounts to the device.
| Setting | Value | Description |
| --- | --- | --- |
-| UserName | string (cannot be empty) | Specify a name for the local user account |
-| HomeDir | string (cannot be empty) | Specify the path of the home directory for the user |
-| Password | string (cannot be empty) | Specify the password for the user account |
-| UserGroup | string (cannot be empty) | Specify the local user group for the user |
+| UserName | String (cannot be empty) | Specify a name for the local user account |
+| HomeDir | String (cannot be empty) | Specify the path of the home directory for the user |
+| Password | String (cannot be empty) | Specify the password for the user account |
+| UserGroup | String (cannot be empty) | Specify the local user group for the user |
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 9a474ff6c8..1116a54650 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -26,10 +26,10 @@ Starting in Windows 10, version 1703, you can import (*ingest*) select Group Pol
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | X | | | | |
-| [ConfigOperations](#configoperations) | X | | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | |
+| [ConfigOperations](#configoperations) | ✔️ | | | |
## ConfigADMXInstalledPolicy
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index a891fbcb93..36eb055038 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -19,10 +19,10 @@ Use this setting to configure single use (kiosk) devices.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | |
-| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | | X | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [AssignedAccessSettings](#assignedaccesssettings) | ✔️ | | ✔️ | |
+| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | ✔️ | | ✔️ | |
## AssignedAccessSettings
@@ -31,9 +31,7 @@ Enter the account and the application you want to use for Assigned access, using
**Example**:
-```
-{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
-```
+`{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`
## MultiAppAssignedAccessSettings
diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md
deleted file mode 100644
index 53200de533..0000000000
--- a/windows/configuration/wcd/wcd-automatictime.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: AutomaticTime (Windows 10)
-description: This section describes the AutomaticTime settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 04/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# AutomaticTime (Windows Configuration Designer reference)
-
-Use these settings to configure automatic time updates. Mobile devices primarily rely on Network Identify and Time zone (NITZ), which is provided by the mobile operator, to automatically update the time on the device. When NITZ is available from the cellular network, there are no issues maintaining accurate time in devices. However, for devices that do not have a SIM or have had the SIM removed for some time, or for devices that have a SIM but NITZ is not supported, the device may run into issues maintaining accurate time on the device.
-
-The OS includes support for Network Time Protocol (NTP), which enables devices to receive time when NITZ is not supported or when cellular data is not available. NTP gets the time by querying a server at a specified time interval. NTP is based on Coordinated Universal Time (UTC) and doesn't support time zone or daylight saving time so users will need to manually update the time zone after an update from NTP if users move between time zones.
-
-## Applies to
-
-| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableAutomaticTime](#enableautomatictime) | | X | | | |
-| [NetworkTimeUpdateThreshold](#networktimeupdatethreshold) | | X | | | |
-| [NTPEnabled](#ntpenabled) | | X | | | |
-| [NTPRegularSyncInterval](#ntpregularsyncinterval) | | X | | | |
-| [NTPRetryInterval](#ntpretryinterval) | | X | | | |
-| [NTPServer](#ntpserver) | | X | | | |
-| [PreferredSlot](#preferredslot) | | X | | | |
-
-## EnableAutomaticTime
-
-Set to **True** to enable automatic time and to **False** to disable automatic time.
-
-## NetworkTimeUpdateThreshold
-
-Specify the difference (in number of seconds) between the NITZ information and the current device time before a device time update is triggered.
-
-## NTPEnabled
-
-Set to **True** to enable the NTP client and to **False** to disable the NTP client.
-
-## NTPRegularSyncInterval
-
-Set the regular sync interval for phones that are set to use Network Time Protocol (NTP) time servers. Select a value between `1` and `168` hours, inclusive, The default sync interval is `12` hours.
-
-
-## NTPRetryInterval
-
-Set the retry interval if the regular sync fails. Select a value between `1` and `24` hours, inclusive.
-
-## NTPServer
-
-Change the default NTP server for phones that are set to use NTP. To enumerate the NTP source server(s) used by the NTP client, set the value for NTPServer to a list of server names, delimited by semi-colons.
-
-**Example**:
-
-```
-ntpserver1.contoso.com;ntpserver2.fabrikam.com;ntpserver3.contoso.com
-```
-
-The list should contain one or more server names. The default NTP source server value is `time.windows.com`.
-
-
-
-
-
-## PreferredSlot
-
-Specify which UICC slot will be preferred for NITZ handling on a C+G dual SIM phone.
-
-- Set to `0` to use the UICC in Slot 0 for NITZ handling.
-- Set to '1' to use the UICC in Slot 1 for NITZ handling.
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index d7e8ff6e10..3b57376dae 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -19,13 +19,13 @@ Use to configure browser settings that should only be set by OEMs who are part o
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowPrelaunch](#allowprelaunch) | | | X | | |
-| [FavoriteBarItems](#favoritebaritems) | X | | | | |
-| [Favorites](#favorites) | | X | | | |
-| [PartnerSearchCode](#partnersearchcode) | X | X | X | | |
-| [SearchProviders](#searchproviders) | | X | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [AllowPrelaunch](#allowprelaunch) | | ✔️ | | |
+| [FavoriteBarItems](#favoritebaritems) | ✔️ | | | |
+| [Favorites](#favorites) | | | | |
+| [PartnerSearchCode](#partnersearchcode) | ✔️ | ✔️ | | |
+| [SearchProviders](#searchproviders) | | | | |
## AllowPrelaunch
@@ -76,9 +76,6 @@ OEMs who are part of the program only have one PartnerSearchCode and this should
Contains the settings you can use to configure the default and additional search providers.
-Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default).
-
-
### Default
Use *Default* to specify a name that matches one of the search providers you enter in [SearchProviderList](#searchproviderlist). If you don't specify a default search provider, this will default to Microsoft Bing.
@@ -104,8 +101,3 @@ For example, to specify Yandex in Russia and Commonwealth of Independent States
When configured with multiple search providers, the browser can display up to ten search providers.
->[!IMPORTANT]
->Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default).
-
-
-
diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
deleted file mode 100644
index d841991b53..0000000000
--- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: CallAndMessageEnhancement (Windows 10)
-description: This section describes the CallAndMessagingEnhancement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/21/2017
-ms.reviewer:
-manager: dansimp
----
-
-# CallAndMessagingEnhancement (Windows Configuration Designer reference)
-
-Use to configure call origin and blocking apps.
-
->[!IMPORTANT]
->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
-
-## Applies to
-
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [BlockingApp](#blockingapp) | | X | | | |
-| [CallOriginApp](#calloriginapp) | | X | | | |
-
-## BlockingApp
-
-| Setting | Value | Description |
-| --- | --- | --- |
-| ActiveBlockingAppUserModelId | AUMID | The AUMID of the application that will be set as the active blocking app by default. |
-| DefaultBlockingAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active blocking app if the user uninstalls the current active blocking app. This app should be uninstallable. |
-
-## CallOriginApp
-
-| Setting | Value | Description |
-| --- | --- | --- |
-| ActiveCallOriginAppUserModelId | AUMID | The AUMID of the application to be set as the active call origin provider app by default. |
-| DefaultCallOriginAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active call origin provider app if the user uninstalls the current active call origin app. This app should be uninstallable. |
diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
deleted file mode 100644
index d346a04e2c..0000000000
--- a/windows/configuration/wcd/wcd-calling.md
+++ /dev/null
@@ -1,218 +0,0 @@
----
-title: Calling (Windows 10)
-description: This section describes the Calling settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 04/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Calling (Windows Configuration Designer reference)
-
-Use to configure settings for Calling.
-
->[!IMPORTANT]
->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
-
-## Applies to
-
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-
-## Branding
-
-See [Branding for phone calls](/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls).
-
-## CallIDMatchOverrides
-
-Enter a GEOID, select **Add**, and then enter the number of digits for matching caller ID.
-
-For a list of GEOID codes and default number of digits for each country/region, see [Overriding the OS default minimu number of digits for caller ID matching](/windows-hardware/customize/mobile/mcsf/caller-id-matching#a-href-idoverriding-os-default-min-number-digitsaoverriding-the-os-default-minimum-number-of-digits-for-caller-id-matching).
-
-## CauseCodeRegistrationTable
-
-See [Cause codes](/windows-hardware/customize/mobile/mcsf/cause-codes).
-
-
-## CDMAHeuristics
-
-CDMA Heuristics (on by default) makes CDMA calling more user-friendly by exposing an interface that supports multiple calls with call waiting, swapping, and three-way calling.
-
-For **CDMAPriorityCallPrefix**, enter a custom call prefix that would allow the user to override an ongoing call with a remote party mostly used in emergency services and law enforcement.
-
-Set **DisableCdmaHeuristics** to **True** to disable the built-in heuristics.
-
-
-## PartnerAppSupport
-
-See [Dialer codes to launch diagnostic applications](/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications).
-
-## PerSimSettings
-
-Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the following settings.
-
-### Critical
-
-Setting | Description
---- | ---
-MOSimFallbackVoicemailNumber | Partners who do not have the voicemail numbers on the device SIM can configure the voicemail number for their devices. If the voicemail number is not on the SIM and the registry key is not set, the default voicemail will not be set and the user will need to set the number. Set MOSimFallbackVoicemailNumber to the voicemail number that you want to use for the phone.
-SimOverrideVoicemailNumber | Mobile operators can override the voicemail number on the UICC with a different voicemail number that is configured in the registry. Set SimOverrideVoicemailNumber to a string that contains the digits of the voicemail number to use instead of the voicemail number on the UICC.
-
-
-### General
-
-Setting | Description
---- | ---
-AllowMixedAudioVideoConferencing | Set as **True** to enable audio and video calls in the same conference.
-AllowVideoConferencing | Set as **True** to enable the ability to conference video calls.
-AutoDismissUssedWaitingDialog | Set as **True** to enable automatic dismissal of "Waiting" dialog on USSD session termination.
-CallerIdBlockingPrefixList | Enter a list of prefixes which will not see the caller ID. Use a semicolon (;) as a delimiter.
-DefaultCallerIdSetting | Configure the default setting for caller ID. Select between `No one`, `Only contacts`, `Every one`, and `Network default`. If set to `Network default`, set `ShowCallerIdNetworkDefaultSetting` to **True**.
-DefaultEnableVideoCalling | Set as **True** to enable LTE video calling as the default setting.
-DefaultEnableVideoCapability | Set as **True** to enable LTE video capability sharing as the default setting.
-EnableSupplementaryServiceEraseToDeactivateOverride | Enables conversion of supplementary service erase commands to deactivate commands.
-IgnoreCallerIdBlockingPrefix | DO NOT USE
-IgnoreMWINotifications | Set as **True** to configure the voicemail system so the phone ignores message waiting indicator (MWI) notifications.
-IgnoreProhibitedDialingPrefix | Ignore prohibited dialing prefix. An OEM/MO can specify a certain set of strings by region that when dialed will block a user's caller ID from being displayed on the device receiving the call. The list is separated by semicolon. This setting does not apply beyond Windows 10, version 1709.
-IgnoreUssdExclusions | Set as **True** to ignore Unstructured Supplementary Service Data (USSD) exclusions.
-ProhibitedDialingPrefixList | A semicolon delimited list of previxes that are prohibited from being dialed.
-ResetCallForwarding | When set to **True**, user is provided with an option to retry call forwarding settings query.
-ShowCallerIdNetworkDefaultSetting | Indicates whether the network default setting can be allowed for outgoing caller ID.
-ShowVideoCallingSwitch | Use to specify whether to show the video capability sharing switch on the mobile device's Settings screen.
-ShowVideoCapabilitySwitch | Configure the phone settings to show the video capability sharing switch.
-SupressVideoCallingChargesDialog | Configure the phone settings CPL to suppress the video calling charges dialog.
-UssdExclusionList | List used to exclude predefined USSD entries, allowing the number to be sent as standard DTMF tones instead. Set UssdExclusionList to the list of desired exclusions, separated by semicolons. For example, setting the value to 66;330 will override 66 and 330. Leading zeros are specified by using F. For example, to override code 079, set the value to F79. If you set UssdExclusionList, you must set IgnoreUssdExclusions as well. Otherwise, the list will be ignored. See [List of USSD codes](#list-of-ussd-codes) for values.
-WiFiCallingOperatorName | Enter the operator name to be shown when the phone is using WiFi calling. If you don't set a value for WiFiCallingOperatorName, the device will always display **SIMServiceProviderName Wi-Fi**, where *SIMServiceProviderName* is a string that corresponds to the SPN for the SIM on the device. If the service provider name in the SIM is not set, only **Wi-Fi** will be displayed.
-
-### HDAudio
-
-To customize call progress branding when a call is made using a specific audio codec, select the audio codec from the dropdown menu and select **Add**. Select the codec in **Available Customizations** and then enter a text string (up to 10 characters) to be used for call progress branding for calls using that codec. For more information, see [Use HD audio codec for call branding](/windows-hardware/customize/mobile/mcsf/use-hd-audio-codec-for-call-branding).
-
-### IMSSubscriptionUpdate
-
-These are Verizon/Sprint-only settings to allow the operator to send an OMA-DM update to the device with the given alert characteristics, which are defined between the mobile operator and OEM, which in turn will inform the device to turn on or off IMS.
-
-### RoamingNumberOverrides
-
-See [Dial string overrides when roaming](/windows-hardware/customize/mobile/mcsf/dial-string-overrides-when-roaming).
-
-## PhoneSettings
-
-Setting | Description
---- | ---
-AdjustCDMACallTime | Change the calculation of CDMA call duration to exclude the time before the call connects.
-AssistedDialSetting | Turn off the international assist feature that helps users with the country codes needed for dialing international phone numbers.
-CallIDMatch | Sets the number of digits that the OS will try to match against contacts for Caller ID. For any country/region that doesn't exist in the default mapping table, mobile operators can use this legacy CallIDMatch setting to specify the minimum number of digits to use for matching caller ID.
-CallRecordingOff | Indicates if call recording is turned off. Users will not see the call recording functionality when this is set to **True**.
-ConferenceCallMaximumPartyCount | Enter a number to limit the number of parties that can participate in a conference call.
-ContinuousDTMFEnabled | Enable DTMF tone duration for as long as the user presses a dialpad key.
-DisableVideoUpgradeStoreNavigation | If there are no compatible video upgrade apps installed, tapping the video upgrade button will launch a dialog that will navigate to the Microsoft Store. If this option is enabled, it will show a dialog that informs the user that no video app is installed, but it will not navigate to the Microsoft Store.
-DisableVoicemailPhoneNumberDisplay | Disable the display of the voicemail phone number below the Voicemail label in call progress dialog.
-DisplayNoDataMessageDuringCall | Display a message to the user indicating that there is no Internet connectivity during a phone call.
-DisplayNumberAsDialed | Display the outgoing number "as dialed" rather than "as connected".
-EnableVideoCalling | Set to **True** to enable video calling.
-HideCallForwarding | Partners can hide the user option to turn on call forwarding. By default, users can decide whether to turn on call forwarding. Partners can hide this user option so that call forwarding is permanently disabled.
-HideSIMSecurityUI | Hide the SIM Security panel from phone Settings.
-LowVideoQualityTimeout | Configure the phone timer to automatically drop video when the quality is low, in milliseconds.
-MinTimeBetweenCallSwaps | Configure how often the user can swap between two active phone calls, in milliseconds.
-PromptVideoCallingCharges | Prompt user for charges associated with video calls.
-ShowLongTones | Partners can make a user option visible that makes it possible to toggle between short and long DTMF tones, instead of the default continuous tones. By default, the phone supports Dual-Tone Multi-frequency (DTMF) with continuous tones. Partners can make a user option visible that makes it possible to toggle between short and long tones instead.
-UseOKForUssdDialogs | OEMs can change the button label in USSD dialogs from **Close** (the default) to **OK**.
-UseVoiceDomainForEmergencyCallBranding | Use voice domain to decide whether to use **Emergency calls only** or **No service** in branding.
-VideoCallingChargesMessage | Enter text for the message informing the user about the charges associated with video calls.
-VideoCallingChargesTitle | Enter text for the title of the dialog informing the user about the charges associated with video calls.
-VideoCallingDescription | Enter text to describe the video calling feature.
-VideoCallingLabel | Enter text to describe the video calling toggle.
-VideoCapabilityDescription | Enter text to describe the video capability feature.
-VideoCapabilityLabel | Enter text to describe the video capability toggle.
-VideoTransitionTimeout | Enter the time in milliseconds to check how long the video transition state will remain until the remote party responds. The minimum value is 10000 and the maximum value is 30000.
-VoLTEAudioQualityString | Partners can add a string to the call progress screen to indicate if the active call is a high quality voice over LTE (VoLTE). Set the value of VoLTEAudioQualityString to the string that you want to display in the call progress screen to indicate that the call is a VoLTE call. This string is combined with the PLMN so if the string is "VoLTE", the resulting string is "PLMN_String VoLTE". For example, the string displayed in the call progress screen can be "Litware VoLTE" if the PLMN_String is "Litware". The value you specify for VoLTEAudioQualityString must exceed 10 characters.
-
-
-## PhoneShellUI
-
-Setting | Description
---- | ---
-EnableSoftwareProximitySensorMitigation | Enable software proximity sensor mitigation.
-
-## PhoneSmsFilter
-
-Setting | Description
---- | ---
-AppId | Enter the app ID for your phone call/SMS filter application.
-
-## SupplementaryServiceCodeOverrides
-
-See [Dialer codes for supplementary services](/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services).
-
-## VoicemailRegistrationTable
-
-Configure these settings to customize visual voicemail in the Windows 10 Mobile UI. For settings and values, see [Visual voicemail](/windows-hardware/customize/mobile/mcsf/visual-voicemail).
-
-
-## List of USSD codes
-
-
-Codes | Description | DWORD Value
---- | --- | ---
-04 | CHANGEPIN | 000000F4
-042 | CHANGEPIN2 | 00000F42
-05 | UNBLOCKPIN | 000000F5
-052 | UNBLOCKPIN2 | 00000F52
-03 | SSCHANGEPASSWORD | 000000F3
-75 | EMLPPBASE | 00000075
-750 | EMLPPLEVEL0 | 00000750
-751 | EMLPPLEVEL1 | 00000751
-752 | EMLPPLEVEL2 | 00000752
-753 | EMLPPLEVEL3 | 00000753
-754 | EMLPPLEVEL4 | 00000754
-66 | CALLDEFLECT | 00000066
-30 | CALLIDCLIP | 00000030
-31 | CALLIDCLIR | 00000031
-76 | CALLIDCOLP | 00000076
-77 | CALLIDCOLR | 00000077
-21 | FWDUNCONDITIONAL | 00000021
-67 | FWDBUSY | 00000067
-61 | FWDNOREPLY | 00000061
-62 | FWDNOTREACHABLE | 00000062
-002 | FWDALL | 00000FF2
-004 | FWDALLCONDITIONAL | 00000FF4
-43 | CALLWAITING | 00000043
-360 | UUSALL | 00000360
-361 | UUSSERVICE1 | 00000361
-362 | UUSSERVICE2 | 00000362
-363 | UUSSERVICE3 | 00000363
-33 | BARROUT | 00000033
-331 | BARROUTINTL | 00000331
-332 | BARROUTINTLEXTOHOME | 00000332
-35 | BARRIN | 00000035
-351 | BARRINROAM | 00000351
-330 | BARRALL | 00000330
-333 | BARRALLOUT | 00000333
-353 | BARRALLIN | 00000353
-354 | BARRINCOMINGINTERMEDIATE | 00000354
-96 | CALLTRANSFER | 00000096
-37 | CALLCOMPLETEBUSY | 00000037
-070 | PNP0 | 00000F70
-071 | PNP1 | 00000F71
-072 | PNP2 | 00000F72
-073 | PNP3 | 00000F73
-074 | PNP4 | 00000F74
-075 | PNP5 | 00000F75
-076 | PNP6 | 00000F76
-077 | PNP7 | 00000F77
-078 | PNP8 | 00000F78
-079 | PNP9 | 00000F79
-300 | CALLCNAP | 00000300
-591 | MSP1 | 00000591
-592 | MSP2 | 00000592
-593 | MSP3 | 00000593
-594 | MSP4 | 00000594
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index de0d3359b2..56d5c63695 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -24,26 +24,26 @@ Use to configure settings for cellular data.
## Applies to
- Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core
- --- | :---: | :---: | :---: | :---: | :---:
- PerDevice: [CellConfigurations](#cellconfigurations) | | X | | | |
- PerDevice: [CellData](#celldata) | X | X | X | |
- PerDevice: [CellUX](#cellux) | X | X | X | |
- PerDevice: [CGDual](#cgdual) | | X | | |
- PerDevice: [eSim](#esim) | X | X | X | |
- PerDevice: [External](#external) | | X | | |
- PerDevice: [General](#general) | | X | | |
- PerDevice: [RCS](#rcs) | | X | | |
- PerDevice: [SMS](#sms) | X | X | X | |
- PerDevice: [UIX](#uix) | | X | | |
- PerDevice: [UTK](#utk) | | X | | |
- PerlMSI: [CellData](#celldata2) | | X | | |
- PerIMSI: [CellUX](#cellux2) | | X | | |
- PerIMSI: [General](#general2) | | X | | |
- PerIMSI: [RCS](#rcs2) | | X | | |
- PerIMSI: [SMS](#sms2) | X | X | X | |
- PerIMSI: [UTK](#utk2) | | X | | |
- PerIMSI: [VoLTE](#volte) | | X | | |
+ Setting groups | Windows client | Surface Hub | HoloLens | IoT Core
+ --- | :---: | :---: | :---: | :---:
+ PerDevice: [CellConfigurations](#cellconfigurations) | | | | |
+ PerDevice: [CellData](#celldata) | ✔️ | ✔️ | |
+ PerDevice: [CellUX](#cellux) | ✔️ | ✔️ | |
+ PerDevice: [CGDual](#cgdual) | | | |
+ PerDevice: [eSim](#esim) | ✔️ | ✔️ | |
+ PerDevice: [External](#external) | | | |
+ PerDevice: [General](#general) | | | |
+ PerDevice: [RCS](#rcs) | | | |
+ PerDevice: [SMS](#sms) | ✔️ | ✔️ | |
+ PerDevice: [UIX](#uix) | | | |
+ PerDevice: [UTK](#utk) | | | |
+ PerlMSI: [CellData](#celldata2) | | | |
+ PerIMSI: [CellUX](#cellux2) | | | |
+ PerIMSI: [General](#general2) | | | |
+ PerIMSI: [RCS](#rcs2) | | | |
+ PerIMSI: [SMS](#sms2) | ✔️ | ✔️ | |
+ PerIMSI: [UTK](#utk2) | | | |
+ PerIMSI: [VoLTE](#volte) | | | |
## PerDevice
@@ -124,7 +124,7 @@ ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency cal
ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message.
SlotSelectionSim1Name | Enter text for the name of SIM 1 in slot selection UI.
SlotSelectionSim2Name | Enter text for the name of SIM 2 in slot selection UI.
-SuppressDePersoUI | Select **Yes** to hide the perso unlock UI.
+SuppressDePersoUI | Select **Yes** to hide the Perso unlock UI.
### CGDual
@@ -228,11 +228,11 @@ UserEnabled | Select **Yes** to show the user setting if RCS is enabled on the d
| SmsStoreDeleteSize | Set the number of messages that can be deleted when a "message full" indication is received from the modem. |
| SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. |
| Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. |
-| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. |
+| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recipient address**, or **network connectivity trouble**. |
| Type3GPP > IMS > AttemptThresholdForIMS | Set the maximum number of tries to send SMS on IMS. |
| Type3GPP > IMS > RetryEnabled | Configure whether to enable one automatic retry after failure to send over IMS. |
| Type 3GPP > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. |
-| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. |
+| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recipient address**, or **network connectivity trouble**. |
| Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. |
### UIX
@@ -385,9 +385,9 @@ See descriptions in Windows Configuration Designer.
| SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message. |
| SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. |
| Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. |
-| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. |
+| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recipient address**, or **network connectivity trouble**. |
| Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. |
-| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. |
+| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recipient address**, or **network connectivity trouble**. |
| Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. |
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index 2a3982c0d3..825f43c4c2 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -21,9 +21,9 @@ Use to configure settings for cellular connections.
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
## PerDevice
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
index 79d200e65c..ca41ffe27e 100644
--- a/windows/configuration/wcd/wcd-certificates.md
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -25,9 +25,9 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All setting groups | X | X | X | X | X |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All setting groups | ✔️ | ✔️ | ✔️ | ✔️ |
## CACertificates
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
index 17750d5db9..32bdc154b2 100644
--- a/windows/configuration/wcd/wcd-cleanpc.md
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -19,10 +19,10 @@ Use to remove user-installed and pre-installed applications, with the option to
## Applies to
-| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| CleanPCRetainingUserData | X | | | | |
-| CleanPCWithoutRetainingUserData | X | | | | |
+| Settings | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| CleanPCRetainingUserData | ✔️ | | | |
+| CleanPCWithoutRetainingUserData | ✔️ | | | |
For each setting, the options are **Enable** and **Not configured**.
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 807e392469..5c59173b68 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -19,9 +19,9 @@ Use to configure settings related to various types of phone connections.
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | ✔️ | | |
For each setting group:
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index 248a5ab250..33b7de451b 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -19,14 +19,14 @@ Use to configure profiles that a user will connect with, such as an email accoun
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Email](#email) | X | X | X | | |
-| [Exchange](#exchange) | X | X | X | | |
-| [KnownAccounts](#knownaccounts) | X | X | X | | |
-| [VPN](#vpn) | X | X | X | X | |
-| [WiFiSense](#wifisense) | X | X | X | | |
-| [WLAN](#wlan) | X | X | X | X | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Email](#email) | ✔️ | ✔️ | | |
+| [Exchange](#exchange) | ✔️ | ✔️ | | |
+| [KnownAccounts](#knownaccounts) | ✔️ | ✔️ | | |
+| [VPN](#vpn) | ✔️ | ✔️ | ✔️ | |
+| [WiFiSense](#wifisense) | ✔️ | ✔️ | | |
+| [WLAN](#wlan) | ✔️ | ✔️ | ✔️ | |
## Email
@@ -118,8 +118,8 @@ Configure settings to change the default maximum transmission unit ([MTU](#mtu))
| --- | --- |
| **ProfileType** | Choose between **Native** and **Third Party** |
| AlwaysOn | Set to **True** to automatically connect the VPN at sign-in |
-| ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi neetwork as the VPN client can bypass VPN |
-| DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is usedas the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. |
+| ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi network as the VPN client can bypass VPN |
+| DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is used as the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. |
| LockDown | When set to **True**:- Profile automatically becomes an "always on" profile- VPN cannot be disconnected-If the profile is not connected, the user has no network connectivity- No other profiles can be connected or modified |
| Proxy | Configure to **Automatic** or **Manual** |
| ProxyAutoConfigUrl | When **Proxy** is set to **Automatic**, enter the URL to automatically retrieve the proxy settings |
@@ -135,7 +135,7 @@ AuthenticationUserMethod | When you set **NativeProtocolType** to **IKEv2**, cho
EAPConfiguration | When you set **AuthenticationUserMethod** to **EAP**, enter the HTML-encoded XML to configure EAP. For more information, see [EAP configuration](/windows/client-management/mdm/eap-configuration).
NativeProtocolType | Choose between **PPTP**, **L2TP**, **IKEv2**, and **Automatic**.
RoutingPolicyType | Choose between **SplitTunnel**, in which traffic can go over any interface as determined by the networking stack, and **ForceTunnel**, in which all IP traffic must go over the VPN interface.
-Server | Enter the public or routable IP address or DNS name for the VPN gateway. It can point to the exteranl IP of a gateway or a virtual IP for a server farm.
+Server | Enter the public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm.
When **ProfileType** is set to **Third Party**, the following additional settings are available.
@@ -201,4 +201,4 @@ Enter a SSID, click **Add**, and then configure the following settings for the S
| ProxyServerPort | (Optional) Specify the configuration of the network proxy as **host:port**. A proxy server host and port can be specified per connection for Windows 10 for mobile devices. The host can be server name, FQDN, or SLN or IPv4 or IPv6 address. This proxy configuration is only supported in Windows 10 for mobile devices. Using this configuration in Windows 10 for desktop editions will result in failure. |
| AutoConnect | (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN. |
| HiddenNetwork | (Optional) Select **True** or **false** to specify whether the network is hidden. |
-| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. |
\ No newline at end of file
+| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. |
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
index 3b9642b8e8..81597e49d4 100644
--- a/windows/configuration/wcd/wcd-countryandregion.md
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -19,8 +19,8 @@ Use to configure a setting that partners must customize to ship Windows devices
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| CountryCodeForExtendedCapabilityPrompts | X | X | X | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| CountryCodeForExtendedCapabilityPrompts | ✔️ | ✔️ | | |
You can set the **CountryCodeForExtendedCapabilityPrompts** setting for **China** to enable additional capability prompts when apps use privacy-sensitive features (such as Contacts or Microphone).
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index 2d6ed40d77..e18abe6ad1 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -19,7 +19,7 @@ Do not use. Instead, use the [Personalization settings](wcd-personalization.md).
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index 6053bddbbd..eee860859f 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -19,22 +19,20 @@ Use to unlock developer mode on HoloLens devices and configure authentication to
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableDeveloperMode](#enabledevelopermode) | | | | X | |
-| [AuthenticationMode](#authenticationmode) | | | | X | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [EnableDeveloperMode](#developersetupsettings-enabledevelopermode) | | | ✔️ | |
+| [AuthenticationMode](#windowsdeviceportalsettings-authentication-mode) | | | ✔️ | |
-
## DeveloperSetupSettings: EnableDeveloperMode
When this setting is configured as **True**, the device is unlocked for developer functionality.
-
## WindowsDevicePortalSettings: Authentication Mode
When AuthenticationMode is set to **Basic Auth**, enter a user name and password to enable the device to connect to and authenticate with the Windows Device Portal.
## Related topics
-- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens)
\ No newline at end of file
+- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens)
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
index 0cb8ee869d..b233406d79 100644
--- a/windows/configuration/wcd/wcd-deviceformfactor.md
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -19,9 +19,9 @@ Use to identify the form factor of the device.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| DeviceForm | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| DeviceForm | ✔️ | ✔️ | | |
Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization.
diff --git a/windows/configuration/wcd/wcd-deviceinfo.md b/windows/configuration/wcd/wcd-deviceinfo.md
deleted file mode 100644
index 8f5e48d6c7..0000000000
--- a/windows/configuration/wcd/wcd-deviceinfo.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: DeviceInfo (Windows 10)
-description: This section describes the DeviceInfo settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/21/2017
-ms.reviewer:
-manager: dansimp
----
-
-# DeviceInfo (Windows Configuration Designer reference)
-
-Use to configure settings for DeviceInfo.
-
->[!IMPORTANT]
->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
-
-## Applies to
-
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-
-## PhoneMobileOperatorDisplayName
-
-Enter a friendly name for the mobile operator. This string is displayed in the support section of the **Settings > About** screen and in the ringtone list.
-
-## PhoneMobileOperatorName
-
-This setting is used for targeting phone updates. It must contain a code specified by Microsoft that corresponds to the mobile operator. These codes are provided in [Registry values for mobile operator IDs](https://msdn.microsoft.com/library/windows/hardware/dn772250.aspx). For open market phones, in which the mobile operator is not known, use the codes in [Registry values for carrier-unlocked phones](https://msdn.microsoft.com/library/windows/hardware/dn772248.aspx) instead.
-
-This string is not visible to the user.
-
-This setting must not be changed over time even if the user switches SIMs or mobile operators, as updates are always targeted based on the first mobile operator associated with the phone.
-
-The [PhoneManufacturer](/previous-versions/windows/hardware/previsioning-framework/mt138328(v=vs.85)), [PhoneManufacturerModelName](/previous-versions/windows/hardware/previsioning-framework/mt138336(v=vs.85)), and PhoneMobileOperatorName should create a unique Phone-Operator-Pairing (POP).
-
-
-
-## PhoneOEMSupportLink
-
-This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
-
-The default is an empty string (""), which means that a support link will not be displayed to the user.
-
-This setting varies by OEM.
-
-
-## PhoneSupportLink
-
-This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
-
-The default is an empty string (""), which means that a support link will not be displayed to the user.
-
-This setting varies by OEM.
-
-
-## PhoneSupportPhoneNumber
-
-Use to specify the OEM or mobile operator's support contact phone number. The country code is not required. This string is displayed in the About screen in Settings. This setting also corresponds to the Genuine Windows Phone Certificates (GWPC) support number.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 22142d87cb..bb1692d17e 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -19,12 +19,12 @@ Use to configure device management settings.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Accounts](#accounts) | X | X | X | | |
-| [PGList](#pglist) | X | X | X | | |
-| [Policies](#policies) | X | X | X | | |
-| [TrustedProvisioningSource](#trustedprovisioningsource) | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Accounts](#accounts) | ✔️ | ✔️ | | |
+| [PGList](#pglist) | ✔️ | ✔️ | | |
+| [Policies](#policies) | ✔️ | ✔️ | | |
+| [TrustedProvisioningSource](#trustedprovisioningsource) | ✔️ | ✔️ | | |
## Accounts
@@ -45,7 +45,7 @@ Use to configure device management settings.
| DisableOnRoaming | Specify whether the client will connect while cellular roaming |
| InitialBackOffTime | Specify the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry |
| InitiateSession | Specify whether a session should be started with the MDM server when the account is provisioned |
-| MaxBackOffTime | Specify the maximum number of milliseconds to wait before attemption a connection retry |
+| MaxBackOffTime | Specify the maximum number of milliseconds to wait before attempting a connection retry |
| Name | Enter a display name for the management server |
| Port | Enter the OMA DM server port |
| PrefConRef | Enter a URI to NAP management object or a connection GUID used by the device Connection Manager |
@@ -92,4 +92,4 @@ In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS).
## Related topics
- [DMAcc configuration service provider (CSP)](/windows/client-management/mdm/dmacc-csp)
-- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp)
\ No newline at end of file
+- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp)
diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md
index 8db59d7617..e72df83e2d 100644
--- a/windows/configuration/wcd/wcd-deviceupdatecenter.md
+++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md
@@ -17,7 +17,7 @@ Do not use **DeviceUpdateCenter** settings at this time.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index dfabf75bda..31d0ed7b8c 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -19,9 +19,9 @@ Use to specify enterprise-specific mobile device management configuration settin
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| UpdateManagementServiceAddress | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| UpdateManagementServiceAddress | ✔️ | ✔️ | | ✔️ |
For the **UpdateManagementServiceAddress** setting, enter a list of servers. The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions.
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index 7b0b331a3a..aaa3c9a10e 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -19,11 +19,11 @@ Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [ChangeProductKey](#changeproductkey) | X | X | | | |
-| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | X | X | | X | |
-| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | X | X | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [ChangeProductKey](#changeproductkey) | ✔️ | | | |
+| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | ✔️ | | ✔️ | |
+| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | ✔️ | | | |
## ChangeProductKey
diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
deleted file mode 100644
index fe3e097ba5..0000000000
--- a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: EmbeddedLockdownProfiles (Windows 10)
-description: This section describes the EmbeddedLockdownProfiles setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# EmbeddedLockdownProfiles (Windows Configuration Designer reference)
-
-Use to apply an XML configuration to a mobile device that locks down the device, configures custom layouts, and define multiple roles.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| AssignedAccessXml | | X | | | |
-
-1. Create a lockdown XML file, either by using [the Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) or [manually](../mobile-devices/lockdown-xml.md).
-2. In the **AssignedAccessXml** setting, browse to and select the lockdown XML file that you created.
-
-
-## Related topics
-
-- [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
index f769dc4594..cd505cda87 100644
--- a/windows/configuration/wcd/wcd-firewallconfiguration.md
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -19,9 +19,9 @@ Use to enable AllJoyn router to work on public networks.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| EnableAllJoynOnPublicNetwork | | | | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| EnableAllJoynOnPublicNetwork | | | | ✔️ |
Set to **True** or **False**.
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index b44927ef29..a854a53a49 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -19,9 +19,9 @@ Use these settings to configure the out-of-box experience (OOBE) to set up HoloL
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | | X | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | | ✔️ | |
Setting | Description
--- | ---
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
index 38880a5f7d..1eab5f086b 100644
--- a/windows/configuration/wcd/wcd-folders.md
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -19,8 +19,8 @@ Use to add files to the device.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| PublicDocuments | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| PublicDocuments | ✔️ | ✔️ | | |
Browse to and select a file or files that will be included in the provisioning package and added to the public profile documents folder on the target device. You can use the **Relative path to directory on target device** field to create a new folder within the public profile documents folder.
diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md
deleted file mode 100644
index a2ea279640..0000000000
--- a/windows/configuration/wcd/wcd-initialsetup.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: InitialSetup (Windows 10)
-description: This section describes the InitialSetup setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# InitialSetup (Windows Configuration Designer reference)
-
-Use to set the name of the Windows mobile device.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| DeviceName | | X | | | |
-
-In **DeviceName**, enter a name for the device. If **DeviceName** is set to an asterisk (*) or is an empty string, a random device name will be generated.
-
-**DeviceName** is a string with a maximum length of 15 bytes of content:
-
-- **DeviceName** can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.
-- **DeviceName** cannot use spaces or any of the following characters: { | } ~ [ \ ] ^ ' : ; < = > ? @ ! " # $ % ` ( ) + / . , * &, or contain any spaces.
-- **DeviceName** cannot use some non-standard characters, such as emoji.
-
diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md
deleted file mode 100644
index df4ef198d7..0000000000
--- a/windows/configuration/wcd/wcd-internetexplorer.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: InternetExplorer (Windows 10)
-description: This section describes the InternetExplorer settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# InternetExplorer (Windows Configuration Designer reference)
-
-Use to configure settings related to Internet Explorer.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [CustomHTTPHeaders](#customhttpheaders) | | X | | | |
-| [CustomUserAgentString](#customuseragentstring) | | X | | | |
-| DataSaving > [BrowseDataSaver](#browsedatasaver) | | X | | | |
-| DataSaving > [ShowPicturesAutomatically](#showpicturesautomatically) | | X | | | |
-| [FirstRunURL](#firstrunurl) | | X | | | |
-
-## CustomHTTPHeaders
-
-Configure Microsoft Edge to send custom HTTP headers. These will be sent in addition to the default HTTP headers with all HTTP and HTTPS requests. The header is the portion of the HTTP request that defines the form of the message.
-
-- A maximum of 16 custom headers can be defined.
-- Custom headers cannot be used to modify the user agent string.
-- Each header must be no more than 1 KB in length.
-
-The following header names are reserved and must not be overwritten:
-
-- Accept
-- Accept-Charset
-- Accept-Encoding
-- Authorization
-- Expect
-- Host
-- If-Match
-- If-Modified-Since
-- If-None-Match
-- If-Range
-- If-Unmodified-Since
-- Max-Forwards
-- Proxy-Authorization
-- Range
-- Referer
-- TE
-- USER-AGENT
-- X-WAP-PROFILE
-
-1. In **Available customizations**, select **CustomHTTPHeaders**, enter a name, and then click **Add**.
-2. In **Available customizations**, select the name that you just created.
-3. Enter the custom header.
-
-## CustomUserAgentString
-
-The user agent string indicates which browser you are using, its version number, and details about your system, such as operating system and version. A web server can use this information to provide content that is tailored for your specific browser and phone.
-
-The user agent string for the browser cannot be modified. By default, the string has the following format:
-
-`Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; ; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.10166`
-
-- `` is automatically replaced with the OEM name. This is the same as the PhoneManufacturer setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
-- `` is replaced with the device name or phone name. This is the same as the PhoneModelName setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
-
-
-**Limitations and restrictions:**
-
-- The user agent string for the browser cannot be modified outside of the customizations listed above.
-- The user agent type registry setting cannot be modified or used to change the default browser view from Mobile to Desktop.
-
-
-
-## BrowseDataSaver
-
-Use to set the browser data saver default setting. **True** turns on the browser data saver feature.
-
-Partners can configure the default setting for the browser data saver feature by turning the browser optimization service (through the BrowserDataSaver setting) on or off.
-
-
-## ShowPicturesAutomatically
-
-Use to enable or disable whether the **Show pictures automatically** setting is available in Internet Explorer **advanced settings**.
-
-
-## FirstRunURL
-
-Use to set the home page that appears the first time that Microsoft Edge is opened. This page is only shown the first time the browser is opened. After that, the browser displays either the most recently viewed page or an empty page if the user has closed all tabs or opens a new tab.
-
-Specify the **FirstRunURL** value with a valid link that starts with http://. It is recommended you use a forward link that redirects the user to a localized page.
diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md
index 011302e771..b8dc34d1e1 100644
--- a/windows/configuration/wcd/wcd-kioskbrowser.md
+++ b/windows/configuration/wcd/wcd-kioskbrowser.md
@@ -19,12 +19,12 @@ Use KioskBrowser settings to configure Internet sharing.
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | | | X |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | | | ✔️ |
>[!NOTE]
->To configure Kiosk Browser settings for desktop editions, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser).
+>To configure Kiosk Browser settings for Windows client, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser).
Kiosk Browser settings | Use this setting to
--- | ---
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
index b4db1ca601..82adee0181 100644
--- a/windows/configuration/wcd/wcd-licensing.md
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -19,10 +19,10 @@ Use for settings related to Microsoft licensing programs.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | X | | | | |
-| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | ✔️ | | | |
+| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | ✔️ | | | |
## AllowWindowsEntitlementReactivation
diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md
index 2e623a716c..a2989cead5 100644
--- a/windows/configuration/wcd/wcd-location.md
+++ b/windows/configuration/wcd/wcd-location.md
@@ -18,9 +18,9 @@ Use Location settings to configure location services.
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableLocation](#enablelocation) | | | | | X |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [EnableLocation](#enablelocation) | | | | ✔️ |
## EnableLocation
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index dd1ffc9a9a..51aacf0da3 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -18,11 +18,11 @@ Use for settings related to Maps.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [ChinaVariantWin10](#chinavariantwin10) | X | X | X | | |
-| [UseExternalStorage](#useexternalstorage) | X | X | X | | |
-| [UseSmallerCache](#usesmallercache) | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [ChinaVariantWin10](#chinavariantwin10) | ✔️ | ✔️ | | |
+| [UseExternalStorage](#useexternalstorage) | ✔️ | ✔️ | | |
+| [UseSmallerCache](#usesmallercache) | ✔️ | ✔️ | | |
## ChinaVariantWin10
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
deleted file mode 100644
index fabee5c8f9..0000000000
--- a/windows/configuration/wcd/wcd-messaging.md
+++ /dev/null
@@ -1,359 +0,0 @@
----
-title: Messaging (Windows 10)
-description: This section describes the Messaging settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# Messaging (Windows Configuration Designer reference)
-
-Use for settings related to Messaging and Commercial Mobile Alert System (CMAS).
-
->[!IMPORTANT]
->These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
-
->[!NOTE]
->CMAS is now known as Wireless Emergency Alerts (WEA).
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-## GlobalSettings
-
-### DisplayCmasLifo
-
-Use this setting to change the order in which CMAS alert messages are displayed, from the default first in/first out (FIFO) message order to last in/first out (LIFO) message order.
-
-If the phone receives at least one CMAS alert message which has not been acknowledged by the user, and another CMAS alert message arrives on the phone, partners can configure the order in which the newly received alert messages are displayed on the phone regardless of the service category of the alert. Users will not be able to change the message order once it has been set.
-
-If partners do not specify a value for this customization, the default FIFO display order is used. Users will be able to acknowledge the messages in the reverse order they were received.
-
-When configured as **True**, you set a LIFO message order. When configured as **False**, you set a FIFO message order.
-
-### EnableCustomLineSetupDialog
-
-Enable this setting to allow custom line setup dialogs in the Messaging app.
-
-### ExtractPhoneNumbersInStrings"
-
-Set as **True** to tag any 5-or-more digit number as a tappable phone number.
-
-### ShowSendingStatus
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages.
-
-### VoicemailIntercept
-
-Partners can define a filter that intercepts an incoming SMS message and triggers visual voicemail synchronization. The filtered message does not appear in the user’s conversation list.
-
-A visual voicemail sync is triggered by an incoming SMS message if the following conditions are met:
-
-- The message sender value starts with the string specified in the SyncSender setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
-
-- The body of the message starts with the string specified in the SyncPrefix setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
-
-- Visual voicemail is configured and enabled. For more information, see [Visual voicemail](https://msdn.microsoft.com/library/windows/hardware/dn790032.aspx).
-
->[!NOTE]
->These settings are atomic, so both SyncSender and SyncPrefix must be set.
->
->The SyncSender and SyncPrefix values vary for each mobile operator, so you must work with your mobile operators to obtain the correct or required values.
-
-Setting | Description
---- | ---
-SyncPrefix | Specify a value for SyncPrefix that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be the keyword for the SMS notification.
-SyncSender | Specify a value for SyncSender that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be a short code of the mailbox server that sends a standard SMS notification.
-
-
-
-## PerSimSettings
-
-Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the following settings.
-
-### AllowMmsIfDataIsOff
-
-Setting | Description
---- | ---
-AllowMmsIfDataIsOff | **True** allows MMS if data is off
-AllowMmsIfDataIsOffSupported | **True** shows the toggle for allowing MMS if data is turned off
-AllowMmsIfDataIsOffWhileRoaming | **True** allows MMS if data is off while roaming
-
-### AllowSelectAllContacts
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709, and later.
-
-Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
-
-Windows 10 Mobile supports the following select multiple recipients features:
-
-- A multi-select chooser, which enables users to choose multiple contacts.
-- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
-
-### AllowSendingDeliveryReport
-
-Specify whether the phone automatically sends a receipt acknowledgment for MMS messages. Partners can specify whether the phone automatically sends a receipt acknowledgment for MMS messages when they arrive, and they can determine whether users can control the receipt acknowledgments by using the **Send MMS acknowledgment** toggle in **Messaging > settings**. By default, this user setting is visible and turned on.
-
-| Setting | Description |
-| --- | --- |
-| AllowSendingDeliveryReport | **True** sets the **Send MMS acknowledgment** toggle to **On** |
-| AllowSendingDeliveryReportIsSupported | **True** shows the **Send MMS acknowledgment** toggle, and **False** hides the toggle |
-
-### AutomaticallyDownload
-
-Specify whether MMS messages are automatically downloaded.
-
-| Setting | Description |
-| --- | --- |
-| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** |
-| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle |
-
-
-### DefaultContentLocationUrl
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification.
-
-Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC.
-
-### ErrorCodeEnabled
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem.
-
-Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
-
-### EmergencyAlertOptions
-
-Configure settings for CMAS alerts.
-
-Setting | Description
---- | ---
-CmasAMBERAlertEnabled | **True** enables the device to receive AMBER alerts
-CmasExtremeAlertEnabled | **True** enables the device to receive extreme alerts
-CmasSevereAlertEnabled | **True** enables the device to receive severe alerts
-EmOperatorEnabled | Select which Emergency Alerts Settings page is displayed from dropdown menu
-EtwsSoundEnabled | Set to **True** to play Earthquake & Tsunami Warning System (ETWS) sound during alert.
-SevereAlertDependentOnExtremeAlert | When set as **True**, the CMAS-Extreme alert option must be on to modify CMAS-Severe alert option
-
-
-### General
-
-Setting | Description
---- | ---
-AllowSelectAllContacts | Set to **True** to show the **select all contacts/unselect all** menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks. Windows 10 Mobile supports the following select multiple recipients features:- A multi-select chooser, which enables users to choose multiple contacts.- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
-AllowSMStoSMTPAddress | Allow SMS to SMTP address.
-AssistedDialingMcc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Country Code (MCC) to use for sending SMS.
-AssistedDialingMnc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Network Code (MNC) to use for sending SMS.
-AssistedDialingPlusCodeSupportOverride | For devices that support IMS over SMS, you can override support for the assisted dialing plus (+) code for SMS by setting AssistedDialingPlusCodeSupportOverride. If enabled, the OS will not convert the plus (+) code to the proper assisted number when the user turns on the dialing assist option.
-AutoRetryDownload | You can configure the messaging app to automatically retry downloading an MMS message if the initial download attempt fails. When this customization is enabled, the download is retried 3 times at 20-, 40-, and 60-second intervals.
-BroadcastChannels | You can specify one or more ports from which the device will accept cellular broadcast messages. Set the BroadcastChannels value to the port number(s) that can accept cellular broadcast messages. If you specify the same port that Windows 10 Mobile already recognizes as an Emergency Alert port (a CMAS or ETWS port number) and a cell broadcast message is received on that port, the user will only receive the message once. The message that is received will be displayed as an Emergency Alert message.
-ConvertLongSMStoMMS | For networks that do support MMS and do not support segmentation of SMS messages, you can specify an automatic switch from SMS to MMS for long messages.
-DefaultContentLocationUrl | For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification. Set DefaultContentLocationUrl to specify the default GET path within the MMSC.
-EarthquakeMessageString | To override the Primary Earthquake default message, specify the EarthquakeMessageString setting value. This string will be used regardless of what language is set on the device.
-EarthquakeTsunamiMessageString| To override the Primary Tsunami and Earthquake default message, specify the EarthquakeTsunamiMessageString setting value. This string will be used regardless of what language is set on the device.
-ErrorCodeEnabled | You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem. Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
-EtwsSoundFileName | Set the value to the name of a sound file.
-HideMediumSIPopups | By default, when a service indication message is received with a signal-medium or signal-high setting, the phone interrupts and shows the user prompt for these messages. However, you can hide the user prompts for signal-medium messages.
-ImsiAuthenticationToken | Configure whether MMS messages include the IMSI in the GET and POST header. Set ImsiAuthenticationToken to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
-LimitRecipients | Set the maximum number of recipients to which a single SMS or MMS message can be sent. Enter a number between 1 and 500 to limit the maximum number of recipients.
-MaxRetryCount | You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
-MMSLimitAttachments | You can specify the maximum number of attachments for MMS messages, from 1 to 20. The default is 5.
-NIInfoEnabled | NIInfoEnabled
-ProxyAuthorizationToken | See [Proxy authorization for MMS.](/windows-hardware/customize/mobile/mcsf/proxy-authorization-for-mms)
-RetrySize | For MMS messages that have photo attachments and that fail to send, you can choose to automatically resize the photo and attempt to resend the message. Specify the maximum size to use to resize the photo in KB. Minimum is 0xA (10 KB).
-SetCacheControlNoTransform | When set, proxies and transcoders are instructed not to change the HTTP header and the content should not be modified. A value of 1 or 0x1 adds support for the HTTP header Cache-Control No-Transform directive. When the SetCacheControlNoTransform``Value is set to 0 or 0x0 or when the setting is not set, the default HTTP header Cache-Control No-Cache directive is used.
-ShowRequiredMonthlyTest | **True** enables devices to receive CMAS Required Monthly Test (RMT) messages and have these show up on the device. **False** disables devices from receiving CMAS RMT messages.
-SIProtocols | Additional supported service indication protocol name.
-SmscPanelDisabled | **True** disables the short message service center (SMSC) panel.
-SMStoSMTPShortCode | Use to configure SMS messages to be sent to email addresses and phone numbers. `0` disables sending SMS messages to SMTP addresses. `1` enables sending SMS messages to SMTP addresses.
-TargetVideoFormat | You can specify the transcoding to use for video files sent as attachments in MMS messages. Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:- 0 or 0x0 Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS.- 1 or 0x1 Sets the transcoding to H.264 + AAC + 3GP.- 2 or 0x2 Sets the transcoding to H.263 + AMR.NB + 3GP.- 3 or 0x3 Sets the transcoding to MPEG4 + AMR.NB + 3GP.
-TsunamiMessageString | To override the Primary Tsunami default message, specify the TsunamiMessageString setting value. This string will be used regardless of what language is set on the device.
-UAProf | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. There are two ways to correlate a user agent profile with a given phone:- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.- Alternatively, you can directly set the URI of the user agent profile on the phone.Set UAProf to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting UAProfToken to either `x-wap-profile` or `profile`.
-UAProfToken | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
-UseDefaultAddress | By default, the MMS transport sends an acknowledgement to the provisioned MMS application server (MMSC). However, on some networks, the correct server to use is sent as a URL in the MMS message. In that case, a registry key must be set, or else the acknowledgement will not be received and the server will continue to send duplicate messages. **True** enables some networks to correctly acknowledge MMS messages. **False** disables the feature.
-UseInsertAddressToken | Use insert address token or local raw address.
-UserAgentString | Set UserAgentString to the new user agent string for MMS in its entirely. By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
-UseUTF8ForUnspecifiedCharset | Some incoming MMS messages may not specify a character encoding. To properly decode MMS messages that do not specify a character encoding, you can set UTF-8 to decode the message.
-WapPushTechnology | For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values. `1` or `0x1` enables MMS messages to have some of their content truncated. `0` or `0x0` disables MMS messages from being truncated
-
-## ImsiAuthenticationToken
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-Configure whether MMS messages include the IMSI in the GET and POST header.
-
-Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
-
-
-### LatAlertOptions
-
-Enable `LatLocalAlertEnabled` to enable support for LAT-Alert Local Alerts for devices sold in Chile. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications).
-
-### MaxRetryCount
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent.
-
-Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
-
-### MMSGroupText
-
-Set options for group messages sent to multiple people.
-
-Setting | Description
---- | ---
-MMSGroupText | **True** enables group messages to multiple people sent as MMS.
-ShowMMSGroupTextUI | **True** shows the toggle for group text in messaging settings.
-ShowMmsGroupTextWarning | **True** shows the warning that alerts users of possible additional charges before sending a group text as MMS.
-
-### NIAlertOptions
-
-Enable `NI2AlertEnabled` to enable support for the Netherlands Announcements for devices sold in the Netherlands. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications).
-
-### RcsOptions
-
-Set options for Rich Communications Services (RCS).
-
-| Setting | Description |
-| --- | --- |
-RcsAllowLeaveClosedGroupChats | Whether or not to allow users to leave closed group chats.
-| RcsEnabled | Toggle to enable/disable RCS service. Set to **True** to enable. |
-| RcsFileTransferAutoAccept | Set to **True** to auto-accept RCS incoming file transfer if the file size is less than warning file size.|
-RcsFiletransferAutoAcceptWhileRoaming | Auto-accept RCS incoming file transfer when the file size is less than the warning file size while roaming.
-RcsGroupChatCreationMode | The mode used to create new RCS group chats.
-RcsGroupChatCreationgThreadingMode | The mode used to thread newly created RCS group chats.
-| RcsSendReadReceipt | Set to **True** to send read receipt to the sender when a message is read. |
-RcsTimeWindowsAfterSelfLeave | After RCS receives a self-left message, it will ignore messages during this time (in milliseconds), except self-join.
-| ShowRcsEnabled | Set to **True** to show the toggle for RCS activation. |
-
-
-### RequestDeliveryReport
-
-Set options related to MMS message notifications. You can specify whether users receive notification that MMS messages could not be delivered, and determine whether users can control this by using the MMS delivery confirmation toggle in **Messaging > settings**. By default, this user setting is visible but turned off.
-
-| Setting | Description |
-| --- | --- |
-| RequestDeliveryReport | Set to **True** to set the default value to on. |
-| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. |
-
-
-### SMSDeliveryNotify
-
-Setting | Description
---- | ---
-DeliveryNotifySupported | Set to **True** to enable SMS delivery confirmation.
-SMSDeliveryNotify | Set to **True** to toggle SMS delivery confirmation.
-
-### TargetVideoFormat
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can specify the transcoding to use for video files sent as attachments in MMS messages.
-
-Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:
-
-| Value | Description |
-| --- | --- |
-| 0 or 0x0 | Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS. |
-| 1 or 0x1 | Sets the transcoding to H.264 + AAC + 3GP. |
-| 2 or 0x2 | Sets the transcoding to H.263 + AMR.NB + 3GP. |
-| 3 or 0x3 | Sets the transcoding to MPEG4 + AMR.NB + 3GP. |
-
-
-### TaiwanAlertOptions
-
-Set options for Taiwan Emergency Alerts system. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications#taiwan-alerts).
-
-
-Setting | Description
---- | ---
-TaiwanAlertEnabled | Receive Taiwan alerts.
-TaiwanEmergencyAlertEnabled | Receive Taiwan emergency alerts.
-TaiwanPresidentialAlertEnabled | Receive alerts from the Leader of the Taiwan Area.
-TaiwanRequiredMonthlytestEnabled | Receive Taiwan Required Monthly Test alerts.
-
-
-
-### UAProf
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
-
-There are two ways to correlate a user agent profile with a given phone:
-- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.
-- Alternatively, you can directly set the URI of the user agent profile on the phone.
-
-Set **UAProf** to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
-
-
-### UAProfToken
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
-
-Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
-
-
-### UserAgentString
-
->[!NOTE]
->This setting is removed in Windows 10, version 1709.
-
-Set **UserAgentString** to the new user agent string for MMS in its entirely.
-
-By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
-
-
-### w4
-
-| Setting | Description |
-| --- | --- |
-| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:- A Uniform Resource Identifier (URI)- An IPv4 address represented in decimal format with dots as delimiters- A fully qualified Internet domain name |
-| APPID | Set to `w4`. |
-| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
-| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to ``. If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
-| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](/windows/client-management/mdm/napdef-csp). |
-| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. |
-
-### WapPushTechnology
-
->[!NOTE]
->These settings are removed in Windows 10, version 1709.
-
-For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values.
-
-| Value | Description |
-| --- | --- |
-| 1 or 0x1 | Enables MMS messages to have some of their content truncated. |
-| 0 or 0x0 | Disables MMS messages from being truncated. |
-
-
-
-## Related topics
-- [Customizations for SMS and MMS](/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md
deleted file mode 100644
index 79cc7624f2..0000000000
--- a/windows/configuration/wcd/wcd-modemconfigurations.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: ModemConfiguration (Windows 10)
-description: This section describes the ModemConfiguration settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# ModemConfiguration (Windows Configuration Designer reference)
-
-ModemConfiguration settings are removed in Windows 10, version 1709.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md
deleted file mode 100644
index 4b46abbb30..0000000000
--- a/windows/configuration/wcd/wcd-multivariant.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-title: Multivariant (Windows 10)
-description: This section describes the Multivariant settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# Multivariant (Windows Configuration Designer reference)
-
-Use to select a default profile for mobile devices that have multivariant configurations.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| DefaultProfile | | X | | | |
-
-If you will be adding [multivariant settings](../provisioning-packages/provisioning-multivariant.md) to your provisioning package, you can use the **DefaultProfile** setting to specify which variant should be applied by default if OOBE is skipped. In the **DefaultProfile** field, enter the UINAME from your customizations.xml that you want to use as default.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index 26dc49ac76..957bc2abd1 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -18,9 +18,9 @@ Use for settings related to NetworkProxy.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✔️ | | |
## AutoDetect
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
index 899b27631b..177a49d274 100644
--- a/windows/configuration/wcd/wcd-networkqospolicy.md
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -18,9 +18,9 @@ Use to create network Quality of Service (QoS) policies. A QoS policy performs a
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✔️ | | |
1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**.
2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure.
diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md
deleted file mode 100644
index b584cad59c..0000000000
--- a/windows/configuration/wcd/wcd-nfc.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: NFC (Windows 10)
-description: This section describes the NFC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# NFC (Windows Configuration Designer reference)
-
-Use to configure settings related to near field communications (NFC) subsystem.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-Expand **NFC** > **SEMgr** > **UI**. The following table describes the settings you can configure.
-
-| Setting | Description |
-| --- | --- |
-| CardEmulationState | Configure the default state of **Tap to pay**. Select between **OFF**, **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
-| DefaultFastCardSetting | Configure the default fast card usage for NFC payments. Select between **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
-| HideFastCardsOption | Show or hide the fast cards options drop-down menu in the **NFC** > **Tap to pay** control panel. |
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index 72fc4e529e..9110aeec1d 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -18,40 +18,21 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Desktop > EnableCortanaVoice](#enablecortanavoice) | X | | | | |
-| [Desktop > HideOobe](#hided) | X | | | | |
-| [Mobile > EnforceEnterpriseProvisioning](#nforce) | | X | | | |
-| [Mobile > HideOobe](#hidem) | | X | | | |
-
-
-
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️ | | | |
+| [Desktop > HideOobe](#hideoobe-for-desktop) | ✔️ | | | |
## EnableCortanaVoice
Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE, or **False** to disable voice-over during OOBE.
-
## HideOobe for desktop
When set to **True**, it hides the interactive OOBE flow for Windows 10.
->[!NOTE]
->You must create a user account if you set the value to true or the device will not be usable.
+> [!NOTE]
+> You must create a user account if you set the value to true or the device will not be usable.
When set to **False**, the OOBE screens are displayed.
-
-## EnforceEnterpriseProvisioning
-
-When set to **True**, it forces the OOBE flow into using the enterprise provisioning page without making the user interact with the Windows button. This is the default setting.
-
-When set to **False**, it does not force the OOBE flow to the enterprise provisioning page.
-
-
-## HideOobe for mobile
-
-When set to **True**, it hides the interactive OOBE flow for Windows 10 Mobile.
-
-When set to **False**, the OOBE screens are displayed.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md
deleted file mode 100644
index 5166212585..0000000000
--- a/windows/configuration/wcd/wcd-otherassets.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: OtherAssets (Windows 10)
-description: This section describes the OtherAssets settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# OtherAssets (Windows Configuration Designer reference)
-
-Use to configure settings for Map data.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| MapData | | X | | | |
-
-Use **MapData** to specify the source directory location of the map region you want to include.
-
-For example, if C:\Path\Maps\Europe contains the downloaded map data that you want to preload, set the value to that directory.
-
-To add additional maps, add a new MapData setting and set the source to the directory location of the map region you want to include.
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
index 4f20e71ba6..18b6259bdc 100644
--- a/windows/configuration/wcd/wcd-personalization.md
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -18,12 +18,12 @@ Use to configure settings to personalize a PC.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [DeployDesktopImage](#deploydesktopimage) | X | | | | |
-| [DeployLockScreenImage](#deploylockscreenimage) | X | | | | |
-| [DesktopImageUrl](#desktopimageurl) | X | | | | |
-| [LockScreenImageUrl](#lockscreenimageurl) | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [DeployDesktopImage](#deploydesktopimage) | ✔️ | | | |
+| [DeployLockScreenImage](#deploylockscreenimage) | ✔️ | | | |
+| [DesktopImageUrl](#desktopimageurl) | ✔️ | | | |
+| [LockScreenImageUrl](#lockscreenimageurl) | ✔️ | | | |
## DeployDesktopImage
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 8800dbb685..f7629487bb 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -18,316 +18,316 @@ This section describes the **Policies** settings that you can configure in [prov
## AboveLock
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | |
-| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | | | |
+| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | ✔️ | | | |
## Accounts
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | |
-| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | |
-| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | |
-| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | ✔️ | | | |
+| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | ✔️ | | ✔️ | |
+| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | ✔️ | | | |
+| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | ✔️ | | | |
## ApplicationDefaults
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | |
## ApplicationManagement
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | X |
-| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | X |
-| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X |
-| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | |
-| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | |
-| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | |
-| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | |
-| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | X | | | | |
-| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | X |
-| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ | | | ✔️ |
+| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✔️ | | | ✔️ |
+| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | ✔️ | | | |
+| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✔️ | | | |
+| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | | | |
+| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | | | |
+| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | ✔️ | | | |
+| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✔️ | | | ✔️ |
+| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✔️ | | | ✔️ |
## Authentication
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X |
-| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | X | X | X | | X |
-| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | X | X | X | | X |
-| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | X | X | X | | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✔️ | ✔️ | | ✔️ |
+| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | ✔️ | ✔️ | | ✔️ |
+| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✔️ | ✔️ | | ✔️ |
## BitLocker
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✔️ | | | |
## Bluetooth
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
-| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
-| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X |
-| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | X | X | X | X | X |
-| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X |
-| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | ✔️ | ✔️ | ✔️ | ✔️ |
+| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | ✔️ | ✔️ | ✔️ | ✔️ |
+| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | ✔️ | ✔️ | ✔️ | ✔️ |
## Browser
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | |
-| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | | X |
-| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | X | X | | | |
-[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | X | | | |
-| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | | X |
-| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | |
-| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | | X |
-| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | |
-| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | |
-| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | |
-| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | X | X | X | | X |
-| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | | X |
-| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | X |
-| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | | X |
-| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | |
-| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | X | | | | |
-| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | X | X | X | | X |
-| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | X | | | | |
-| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | X | X | | X |
-| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | | X |
-| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | X | | | | |
-| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | X |
-| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | X | | | | |
-| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | X | X | X | | X |
-[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | X | | | |
-| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | |
-| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | X | X | X | | X |
-| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | X | | | | |
-| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | X | | | | |
-| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | X | | | | |
-| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | X | | | | |
-| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | X | | | | |
-| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | X | | | | |
-| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | |
-[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | X | | | |
-| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | |
-| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
-| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | X | X | | | |
-| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | |
-[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | X | | | |
-| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | X |
-| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | X | X | X | | X |
-| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | |
-| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | X |
-| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | X | X | X | | X |
-| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | X | X | X | | X |
-PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | X | | | | |
-| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | X | | | | |
-| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | X |
-[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | X | | | |
-| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | |
-| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | X |
-| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | X | | | | |
-| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | X | | | | |
-| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | |
-| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | |
-| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | X | | | | |
-[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✔️ | | | |
+| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✔️ | | | |
+[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✔️ | | | |
+| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✔️ | | | |
+| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✔️ | | | |
+| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✔️ | | | |
+| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✔️ | | | |
+| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | ✔️ | ✔️ | | ✔️ |
+| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
+| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | ✔️ | | ✔️ | |
+| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | ✔️ | | | |
+| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
+| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | ✔️ | | | |
+| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ |
+| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | ✔️ | ✔️ | | ✔️ |
+| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | ✔️ | | | |
+| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | ✔️ | | | |
+| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✔️ | ✔️ | | ✔️ |
+[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✔️ | | | |
+| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✔️ | | | |
+| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ |
+| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✔️ | | | |
+| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | |
+| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✔️ | | | |
+| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✔️ | | | |
+| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✔️ | | | |
+| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✔️ | | | |
+| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✔️ | | | |
+[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | |
+| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✔️ | | | |
+| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✔️ | | | |
+| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | ✔️ | | | |
+| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✔️ | | | |
+[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✔️ | | | |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✔️ | ✔️ | | ✔️ |
+| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | ✔️ | ✔️ | | ✔️ |
+| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | ✔️ | | | |
+| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | ✔️ | ✔️ | | ✔️ |
+| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✔️ | ✔️ | | ✔️ |
+| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✔️ | ✔️ | | ✔️ |
+PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✔️ | | | |
+| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | |
+| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✔️ | ✔️ | | ✔️ |
+[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | ✔️ | | | |
+| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✔️ | | | |
+| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✔️ | ✔️ | | ✔️ |
+| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✔️ | | | |
+| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | ✔️ | | | |
+| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | ✔️ | | | |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | ✔️ | | | |
+| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | ✔️ | | | |
+[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | ✔️ | | | |
## Camera
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✔️ | ✔️ | | |
## Connectivity
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | X |
-| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | X |
-| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | X |
-| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | X |
-| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | X |
-| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | X |
-| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | X |
-| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | X |
-| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | X |
-| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✔️ | ✔️ | | ✔️ |
+| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✔️ | ✔️ | | ✔️ |
+| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✔️ | ✔️ | | ✔️ |
+| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | | | ✔️ |
+| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | | | ✔️ |
+| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlying connections VPN is allowed to use. |✔️ | ✔️ | | ✔️ |
+| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✔️ | ✔️ | | ✔️ |
+| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✔️ | ✔️ | | ✔️ |
+| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | ✔️ | ✔️ | | ✔️ |
## CredentialProviders
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | ✔️ | | | |
## Cryptography
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | |
-| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✔️ | | | |
+| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✔️ | | | |
## Defender
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | |
-| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | |
-| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | |
-| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | |
-| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | |
-| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | |
-| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | |
-| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | |
-| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | |
-| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | |
-| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | |
-| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | |
-| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | |
-| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | |
-| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | |
-| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | |
-| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | |
-| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | |
-| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | |
-| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | |
-| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | |
-| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | |
-| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | |
-| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | |
-| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | |
-| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | |
+| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✔️ | | | |
+| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✔️ | | | |
+| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✔️ | | | |
+| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✔️ | | | |
+| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✔️ | | | |
+| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | ✔️ | | | |
+| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✔️ | | | |
+| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✔️ | | | |
+| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✔️ | | | |
+| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | ✔️ | | | |
+| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✔️ | | | |
+| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | ✔️ | | | |
+| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defender scan (in percent). | ✔️ | | | |
+| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✔️ | | | |
+| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore during a scan. Separate each file type in the list by using \|. | ✔️ | | | |
+| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✔️ | | | |
+| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore during a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | |
+| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✔️ | | | |
+| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ | | | |
+| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✔️ | | | |
+| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | ✔️ | | | |
+| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | ✔️ | | | |
+| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | |
+| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | |
+| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | |
## DeliveryOptimization
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | |
-| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | |
-| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | X | | | | |
-| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | X | | | | |
-| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | |
-| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | |
-| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | X | | | | |
-| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | |
-| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | |
-| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | |
-| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | |
-| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | |
-| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | |
-| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | |
-| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | |
-| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | |
-| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | |
-| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | |
-| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
-| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
-| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
-| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | X | | | | |
-| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
-| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | ✔️ | | | |
+| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | ✔️ | | | |
+| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | ✔️ | | | |
+| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | ✔️ | | | |
+| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | ✔️ | | | |
+| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | ✔️ | | | |
+| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | ✔️ | | | |
+| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✔️ | | | |
+| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✔️ | | | |
+| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✔️ | | | |
+| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity using Delivery Optimization. | ✔️ | | | |
+| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✔️ | | | |
+| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✔️ | | | |
+| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capacity in GB) for the device to use Peer Caching. | ✔️ | | | |
+| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✔️ | | | |
+| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB required to use Peer Caching. | ✔️ | | | |
+| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✔️ | | | |
+| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✔️ | | | |
+| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | ✔️ | | | |
+| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
+| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | |
## DeviceGuard
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | ✔️ | | | |
## DeviceLock
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | |
-| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | |
-| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | |
-|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | |
-| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | |
-| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | |
-| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | |
-| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | |
-| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | |
-| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | |
-| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | |
-| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | | | |
+| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | | | |
+| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✔️ | | ✔️ | |
+|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | ✔️ | | ✔️ | |
+| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | ✔️ | | ✔️ | |
+| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | ✔️ | | ✔️ | |
+| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | ✔️ | | ✔️ | |
+| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | ✔️ | | ✔️ | |
+| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | ✔️ | | ✔️ | |
+| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | ✔️ | | ✔️ | |
+| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | ✔️ | | ✔️ | |
+| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | | | |
## DeviceManagement
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | ✔️ | | | |
## Experience
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | |
-| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | |
-| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | |
-| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | |
-| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | |
-| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | |
-| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | |
-| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | |
-| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | |
-| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | |
-| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | |
-| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | |
-| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
-| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | |
-| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | |
-| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | |
-| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | |
-| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | | | |
+| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | | ✔️ | |
+| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | | | |
+| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✔️ | | | |
+| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | ✔️ | | ✔️ | |
+| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | | | |
+| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | | | |
+| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | ✔️ | | | |
+| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | ✔️ | | | |
+| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | | | |
+| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✔️ | | | |
+| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | | | |
+| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggestions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ | | | |
+| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | ✔️ | | | |
+| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✔️ | | | |
+| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✔️ | | | |
+| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | ✔️ | | | |
+| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | ✔️ | | | |
## ExploitGuard
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✔️ | | | |
## Games
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | ✔️ | | | |
## KioskBrowser
These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](../guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | | | | |
-[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | | | | |
-[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | X | | | | |
-[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | X | | | | |
-[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | X | | | | |
-[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X | | | | |
-[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+|[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | |
+|[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ | | | |
+|[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | |
+|[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✔️ | | | |
+|[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✔️ | | | |
+|[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ | | | |
+|[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ | | | |
To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
@@ -340,252 +340,253 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
## LocalPoliciesSecurityOptions
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | X | | | | |
-| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | X | | | | |
-| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✔️ | | | |
+| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✔️ | | | |
+| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✔️ | | | |
## Location
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | |
## Power
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | X | | | | |
-| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | X | | | | |
-| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | X | | | | |
-| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | X | | | | |
-| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | X | | | | |
-| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | X | | | | |
-| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | X | | | | |
-| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | X | | | | |
-| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | X | | | | |
-| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | X | | | | |
-| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | X | | | | |
-| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | X | | | | |
-| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | X | | | | |
-| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | X | | | | |
-| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | X | | | | |
-| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | X | | | | |
-| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | X | | | | |
-| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | X | | | | |
-| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | X | | | | |
-| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | X | | | | |
-| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | X | | | | |
-| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✔️ | | | |
+| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✔️ | | | |
+| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✔️ | | | |
+| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | ✔️ | | | |
+| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | ✔️ | | | |
+| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | ✔️ | | | |
+| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | ✔️ | | | |
+| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | ✔️ | | | |
+| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | ✔️ | | | |
+| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | ✔️ | | | |
+| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | ✔️ | | | |
+| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | ✔️ | | | |
+| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | ✔️ | | | |
+| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | ✔️ | | | |
+| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | ✔️ | | | |
+| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | ✔️ | | | |
+| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | ✔️ | | | |
+| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✔️ | | | |
+| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✔️ | | | |
+| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✔️ | | | |
+| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | ✔️ | | | |
+| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | ✔️ | | | |
## Privacy
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | |
-| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | | | |
+| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✔️ | | ✔️ | |
## Search
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | X | X | | | |
-[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | X | | | | |
-| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | |
-| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | |
-| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | |
-| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consuemrs | X | X | | | |
-| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | |
-| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | X | X | | | |
-| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | |
-| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | |
-| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | |
-| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | |
-| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | | | |
+[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | |
+| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | | | |
+| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ | | ✔️ | |
+| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ | | | |
+| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consumers | ✔️ | | | |
+| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ | | | |
+| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ | | | |
+| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ | | | |
+| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | ✔️ | | | |
+| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | ✔️ | | | |
+| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | ✔️ | | | |
+| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | | | |
## Security
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X |
-| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | |
-| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X |
-| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | |
-| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X |
-| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X |
-| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | ✔️ | ✔️ | | ✔️ |
+| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | | | |
+| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | ✔️ | ✔️ | | ✔️ |
+| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | | | |
+| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | ✔️ | ✔️ | | ✔️ |
+| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | ✔️ | | | |
## Settings
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | |
-| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | |
-| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | |
-| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | |
-[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | | | |
+| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | | | |
+| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | | ✔️ | |
+| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | |
+[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✔️ | | | |
## Start
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
-| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
-DisableContextMenus | Prevent context menus from being invoked in the Start menu. | X | | | | |
-| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | |
-| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | |
-| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | |
-| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | |
-| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | |
-| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | |
-| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | | | | |
-| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | |
-| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | |
-| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | |
-| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | |
-| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | |
-| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | |
-| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | |
-| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | |
-| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | |
-| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | X | | | | |
-| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | |
-| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloads shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | ✔️ | | | |
+| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | ✔️ | | | |
+| DisableContextMenus | Prevent context menus from being invoked in the Start menu. | ✔️ | | | |
+| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✔️ | | | |
+| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✔️ | | | |
+| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✔️ | | | |
+| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✔️ | | | |
+| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✔️ | | | |
+| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✔️ | | | |
+| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | |
+| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✔️ | | | |
+| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✔️ | | | |
+| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✔️ | | | |
+| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | ✔️ | | | |
+| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | ✔️ | | | |
+| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | ✔️ | | | |
+| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | ✔️ | | | |
+| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | ✔️ | | | |
+| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | ✔️ | | | |
+| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | ✔️ | | | |
+| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | ✔️ | | | |
+| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | ✔️ | | | |
## System
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | |
-| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X |
-| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | |
-| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X |
-| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X |
-| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | |
-| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
-ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | X | X | | | |
-ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | X | X | | | |
-| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | X | X | | | |
-| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | X | X | | | |
-| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
-| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✔️ | | | |
+| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✔️ | ✔️ | | ✔️ |
+| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✔️ | | | |
+| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | ✔️ | ✔️ | | ✔️ |
+| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | ✔️ | | ✔️ | |
+| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | ✔️ | | | |
+ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | ✔️ | | | |
+ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | ✔️ | | | |
+| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✔️ | | | |
+| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✔️ | | | |
+| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✔️ | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | | | |
## TextInput
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | |
-| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | |
-| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | |
-| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | |
-| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | |
-| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | |
-| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | |
-| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | |
-| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | |
-| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | |
-| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
-| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
-| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✔️ | | | |
+| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | ✔️ | | | |
+| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✔️ | | | |
+| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✔️ | | | |
+| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✔️ | | | |
+| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | ✔️ | | | |
+| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ | | | |
+| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ | | | |
+| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ | | | |
+| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | |
+| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
+| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
+| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | |
## TimeLanguageSettings
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | | | |
## Update
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------:|:---------------:|:-----------:|:--------:|:--------:|
-| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X |
-| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X |
-| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X |
-| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
-| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X |
-| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
-| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X |
-| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X |
-| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X |
-| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X |
-| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X |
-| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X |
-| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
-| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X |
-| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X |
-| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X |
-| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | X | X | X | X | X |
-| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
-| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | | X |
-| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X |
-| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X |
-| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X |
-| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X |
-| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X |
-| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X |
-| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | X | | X | | X |
-| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X |
-| ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X |
-| PhoneUpdateRestrictions | Deprecated | | X | | | |
-| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
-| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
-| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
-| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X |
-| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X |
-| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X |
-| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | X | X | X | | X |
-| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | X | X | X | | X |
-| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X |
-| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | X | X | X | | X |
-| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X |
-| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|---------|-------------|:--------------:|:-----------:|:--------:|:--------:|
+| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
+| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ |
+| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
+| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✔️ | ✔️ | | ✔️ |
+| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✔️ | ✔️ | | ✔️ |
+| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ |
+| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ |
+| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
+| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windows Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ |
+| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | | ✔️ |
+| ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ |
+| PhoneUpdateRestrictions | Deprecated | | ✔️ | | |
+| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✔️ | ✔️ | | ✔️ |
+| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✔️ | ✔️ | | ✔️ |
+| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✔️ | ✔️ | | ✔️ |
+| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✔️ | ✔️ | | ✔️ |
+| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✔️ | ✔️ | | ✔️ |
+| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✔️ | ✔️ | | ✔️ |
+| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
## WiFi
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | |
-| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | |
-| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | |
-| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | |
-| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | | X |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | ✔️ | | | |
+| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | ✔️ | | | |
+| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | | | |
+| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | | | |
+| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | ✔️ | ✔️ | | ✔️ |
## WindowsInkWorkspace
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | |
-| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | ✔️ | | | |
+| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | ✔️ | | | |
## WindowsLogon
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | |
+
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✔️ | | | |
## WirelessDisplay
-| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | |
\ No newline at end of file
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: |
+| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | | | |
diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md
index a1941225e8..867728c6b3 100644
--- a/windows/configuration/wcd/wcd-privacy.md
+++ b/windows/configuration/wcd/wcd-privacy.md
@@ -17,9 +17,9 @@ Use **Privacy** to configure settings for app activation with voice.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | ✔️ | | ✔️ |
## LetAppsActivateWithVoice
@@ -27,4 +27,4 @@ Select between **User is in control**, **Force allow**, or **Force deny**.
## LetAppsActivateWithVoiceAboveLock
-Select between **User is in control**, **Force allow**, or **Force deny**.
\ No newline at end of file
+Select between **User is in control**, **Force allow**, or **Force deny**.
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index 991bd32799..dab5b939b7 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -19,9 +19,9 @@ Use ProvisioningCommands settings to install Windows desktop applications using
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md).
diff --git a/windows/configuration/wcd/wcd-rcspresence.md b/windows/configuration/wcd/wcd-rcspresence.md
deleted file mode 100644
index ddcb62bed7..0000000000
--- a/windows/configuration/wcd/wcd-rcspresence.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: RcsPresence (Windows 10)
-description: This section describes the RcsPresence settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 04/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# RcsPresence (Windows Configuration Designer reference)
-
-Use these settings to configure RcsPresence.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-Setting | Description
---- | ---
-BypassvideoCapabilities | Do not use.
-MaxWaitForCapabilitiesRequestInSeconds | Maximum number of seconds to wait for a Capabilities Request to complete.
-MinAvailabilityCacheInSeconds | Number of seconds to cache result of Capabilities Request per each number, to avoid excessive network requests.
-
-
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index b8dde5dc3f..3dd25e3954 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -20,9 +20,9 @@ Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as t
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
## AccountManagement
@@ -30,19 +30,19 @@ Use these settings to configure settings for accounts allowed on the shared PC.
| Setting | Value | Description |
| --- | --- | --- |
-| AccountModel | - Only guest- Domain-joined only- Domain-joined and guest | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. - Only guest allows anyone to use the PC as a local standard (non-admin) account.- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account. |
-| DeletionPolicy | - Delete immediately - Delete at disk space threshold- Delete at disk space threshold and inactive threshold | - Delete immediately will delete the account on sign-out.- Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for DiskLevelDeletion, and it will stop deleting accounts when the available disk space reaches the threshold you set for DiskLevelCaching. Accounts are deleted in order of oldest accessed to most recently accessed.- Delete at disk space threshold and inactive threshold will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by InactiveThreshold |
+| AccountModel | - Only guest- Domain-joined only- Domain-joined and guest | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. - Only guest allows anyone to use the PC as a local standard (non-admin) account.- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account. |
+| DeletionPolicy | - Delete immediately - Delete at disk space threshold- Delete at disk space threshold and inactive threshold | - **Delete immediately** deletes the account on sign out.- **Delete at disk space threshold** starts deleting accounts when available disk space falls below the threshold you set for `DiskLevelDeletion`. It stops deleting accounts when the available disk space reaches the threshold you set for `DiskLevelCaching`. Accounts are deleted in order of oldest accessed to most recently accessed.- **Delete at disk space threshold and inactive threshold** applies the same disk space checks as noted above. It also deletes accounts if they haven't signed in within the number of days in `InactiveThreshold`. |
| DiskLevelCaching | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| DiskLevelDeletion | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
-| EnableAccountManager | True or false | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
-| InactiveThreshold | Number | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
-| KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) |
+| EnableAccountManager | True or false | Set as **True** to enable automatic account management. When set to **False**, no automatic account management will be done. |
+| InactiveThreshold | Number | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that hasn't signed in will be deleted. |
+| KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. The app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) |
| KioskModeUserTileDisplayText | String | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. |
## EnableSharedPCMode
-Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
+Set as **True**. When set to **False**, shared PC mode isn't turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings).
Some of the remaining settings in SharedPC are optional, but we strongly recommend that you also set **EnableAccountManager** to **True**.
@@ -53,13 +53,13 @@ Use these settings to configure policies for shared PC mode.
| Setting | Value | Description |
| --- | --- | --- |
| MaintenanceStartTime | A number between 0 and 1440 | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
-| MaxPageFileSizeMB | A number between 1024 and 2048 | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
+| MaxPageFileSizeMB | A number between 1024 and 2048 | Adjusts the maximum page file size in MB. This setting can be used to fine-tune page file behavior, especially on low end PCs. |
| RestrictLocalStorage | True or false | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) |
| SetEduPolicies | True or false | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
-| SetPowerPolicies | True or false | When set as **True**:- Prevents users from changing power settings- Turns off hibernate- Overrides all power state transitions to sleep (e.g. lid close) |
+| SetPowerPolicies | True or false | When set as **True**:- Prevents users from changing power settings- Turns off hibernate- Overrides all power state transitions to sleep, such as a lid close. |
| SignInOnResume | True or false | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| SleepTimeout | Number | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
-## Related topics
+## Related articles
- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md
deleted file mode 100644
index 459ec29c02..0000000000
--- a/windows/configuration/wcd/wcd-shell.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-title: Shell (Windows 10)
-description: This section describes the Shell settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Shell (Windows Configuration Designer reference)
-
-Do not use. Use [Start > StartLayout](wcd-start.md#startlayout)
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index 3c80f2de84..ed3dbc5df6 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -19,21 +19,21 @@ Use SMISettings settings to customize the device with custom shell, suppress Win
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
## All settings in SMISettings
-The following table describes the settings in SMISettings. Some settings have additional details in sections after the table.
+The following table describes the settings in SMISettings. Some settings have more details in sections after the table.
| Setting | Value | Description |
| --- | --- | --- |
-| AutoLogon | EnableDomain namePasswordUserName | Allows automatic sign-in at startup so that the user does not need to enter a user name and password. |
+| AutoLogon | EnableDomain namePasswordUserName | Allows automatic sign-in at startup. Users don't need to enter a user name and password. |
| BrandingNeutral | See [BrandingNeutral values](#brandingneutral-values) | Specifies which UI elements display on the Welcome screen. |
-| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values) | Specifies the type of information to be saved in the event of a crash. |
+| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values) | Specifies the type of information to be saved if there's a crash. |
| DisableBootMenu | True or false | Disables the F8 and F10 keys during startup to prevent access to the **Advanced Startup Options** menu. |
-| DisplayDisabled | True or false | Configures the device to display a blank screen when the OS encounters an error that it cannot recover from. |
+| DisplayDisabled | True or false | Configures the device to display a blank screen if the OS has an error that it can't recover from. |
| HideAllBootUI | True or false | Suppresses all Windows UI elements (logo, status indicator, and status message) during startup. |
| HideAutologonUI | True or false | Hides the Welcome screen when automatic sign-in (AutoLogon) is enabled. |
| HideBootLogo | True or false | Suppresses the default Windows logo that displays during the OS loading phase. |
@@ -43,7 +43,7 @@ The following table describes the settings in SMISettings. Some settings have ad
| KeyboardFilter | See [KeyboardFilter settings](#keyboardfilter-settings) | Use these settings to configure devices to suppress key presses or key combinations. |
| NoLockScreen | True or false | Disables the lock screen functionality and UI elements |
| ShellLauncher | See [ShellLauncher settings](#shelllauncher-settings) | Settings used to specify the application or executable to use as the default custom shell. |
-| UIVerbosityLevel | Suppress or do not suppress | Disables the Windows status messages during device startup, sign-in, and shut down. |
+| UIVerbosityLevel | Suppress or don't suppress | Disables the Windows status messages during device startup, sign-in, and shut down. |
## BrandingNeutral values
@@ -58,11 +58,11 @@ The default value is **17**, which disables all Welcome screen UI elements and t
| 4 | Disables the Language button |
| 8 | Disables the Ease of access button |
| 16 | Disables the Switch user button |
-| 32 | Disables the blocked shutdown resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any applications that are blocking system shut down. No UI is displayed and users are not given a chance to cancel the shutdown process. This can result in a loss of data if any open applications have unsaved data. |
+| 32 | Disables the blocked shutdown resolver (BSDR) screen. Restarting or shutting down the system causes the OS to immediately force close any applications that are blocking the system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This value can result in a loss of data if any open applications have unsaved data. |
## CrashDumpEnabled values
-Contains an integer that specifies the type of information to capture in a dump (.dmp) file that is generated when the system stops unexpectedly.
+If the system stops unexpectedly, choose the type of information to capture in a dump (.dmp) file.
The .dmp file is typically saved in %SystemRoot% as Memory.dmp.
@@ -71,22 +71,22 @@ Set CrashDumpEnabled to one of the following values:
| Value | Description |
| --- | --- |
| 1 | Records all the contents of system memory. This dump file may contain data from processes that were running when the information was collected. |
-| 2 | Records only the kernel memory. This dump file includes only memory that is allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It does not include unallocated memory or any memory that is allocated to user-mode programs.For most purposes, this kind of dump file is the most useful because it is significantly smaller than the complete memory dump file, but it contains information that is most likely to have been involved in the issue.If a second problem occurs, the dump file is overwritten with new information. |
-| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:- A list of loaded drivers- The processor context (PRCB) for the processor that stopped- The process information and kernel context (EPROCESS) for the process that stopped- The process information and kernel context (ETHREAD) for the thread that stopped- The kernel-mode call stack for the thread that stoppedThis kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by analyzing this file.The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
+| 2 | Records only the kernel memory. This dump file includes only memory that's allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It doesn't include unallocated memory, or any memory that's allocated to user-mode programs. For most purposes, this kind of dump file is the most useful because it's smaller than the complete memory dump file. It also includes information that's most likely involved in the issue. If a second problem occurs, the dump file is overwritten with new information. |
+| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:- A list of loaded drivers- The processor context (PRCB) for the processor that stopped- The process information and kernel context (EPROCESS) for the process that stopped- The process information and kernel context (ETHREAD) for the thread that stopped- The kernel-mode call stack for the thread that stoppedThis dump file can be useful when space is limited. Because of the limited information, errors that aren't directly caused by the running thread at the time of the problem may not be discovered by analyzing this file. The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
| 4 | Records the smallest amount of useful information. This value produces the same results as entering a value of 3. |
| 7 | Records only the kernel memory. This value produces the same results as entering a value of 2. This is the default value. |
-| Any other value | Disables crash dump and does not record anything. |
+| Any other value | Disables crash dump and doesn't record anything. |
## KeyboardFilter settings
-You can use KeyboardFilter to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard.
+Use these settings to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard.
-When you **enable** KeyboardFilter, a number of other settings become available for configuration.
+When you **enable** KeyboardFilter, many other settings become available for configuration.
| Setting | Value | Description |
| --- | --- | --- |
-| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that you may have that are not included in the predefined key filters. Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](/windows-hardware/customize/enterprise/wekf-customkey). |
-| CustomScancodeFilters | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.Enter a custom scancode in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](/windows-hardware/customize/enterprise/wekf-scancode). |
+| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that aren't included in the predefined key filters. Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](/windows-hardware/customize/enterprise/wekf-customkey). |
+| CustomScancodeFilters | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.Enter a custom scan code in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](/windows-hardware/customize/enterprise/wekf-scancode). |
| DisableKeyboardFilterForAdministrators | True or false | Disables the keyboard filter for administrators. |
| ForceOffAccessibility | True or false | Disables all Ease of Access features and prevents users from enabling them. |
| PredefinedKeyFilters | Allow or block | Specifies the list of predefined keys. For each key, the value will default to **Allow**. Specifying **Block** will suppress the key combination. |
@@ -107,7 +107,7 @@ You can also configure ShellLauncher to launch different shell applications for
>
>You cannot use ShellLauncher to launch a Windows app as a custom shell. However, you can use Windows 10 application launcher to launch a Windows app at startup.
-ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior does not meet your needs.
+ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell. So, your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
>[!IMPORTANT]
>A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights cannot. If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for ShellLauncher to launch the shell application.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index 743151817b..b5e9674a75 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -19,23 +19,14 @@ Use Start settings to apply a customized Start screen to devices.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| StartLayout | X | X | | | |
-| StartLayoutFilePath | | X | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| StartLayout | ✔️ | | | |
>[!IMPORTANT]
->The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but should only be used to apply a layout to Windows 10 Mobile devices. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start).
+>The StartLayout setting is available in the advanced provisioning for Windows 10, but shouldn't be used. For Windows client, use [Policies > StartLayout](wcd-policies.md#start).
## StartLayout
Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen to a mobile device.
->[!NOTE]
->The XML file that defines the Start layout for Windows 10 Mobile must be named `LayoutModification.xml`.
-
-For more information, see [Start layout XML for mobile editions of Windows 10](../mobile-devices/lockdown-xml.md)).
-
-## StartLayoutFilePath
-
-Do not use.
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
index 9516876a6d..49815cf169 100644
--- a/windows/configuration/wcd/wcd-startupapp.md
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -19,8 +19,8 @@ Use StartupApp settings to configure the default app that will run on start for
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| Default | | | | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| Default | | | | ✔️ |
Enter the [Application User Model ID (AUMID)](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
index 67662e4a93..7d169c131d 100644
--- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -19,7 +19,7 @@ Documentation not available at this time.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | | | ✔️ |
diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
index a7cbdabebe..d48b954521 100644
--- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
+++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
@@ -13,12 +13,15 @@ manager: dansimp
# StorageD3InModernStandby (Windows Configuration Designer reference)
-Use **StorageD3InModernStandby** to enable or disable low power state (D3) during standby. When this setting is configured to **Enable Storage Device D3**, SATA and NVMe devices will be able to enter the D3 state when the system transits to modern standby state, if they are using a Microsoft inbox driver such as StorAHCI, StorNVMe.
+Use **StorageD3InModernStandby** to enable or disable low-power state (D3) during standby. When set to **Enable Storage Device D3**, SATA and NVMe devices can enter the D3 state when:
+
+- The system transits to modern standby state.
+- If they're using a Microsoft inbox driver such as StorAHCI, StorNVMe
[Learn more about device power states.](/windows-hardware/drivers/kernel/device-power-states)
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | X |
\ No newline at end of file
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | ✔️ | | ✔️ |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
index 31a54a9d24..edf2a819ed 100644
--- a/windows/configuration/wcd/wcd-surfacehubmanagement.md
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -24,9 +24,9 @@ Use SurfaceHubManagement settings to set the administrator group that will manag
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✔️ | | |
## GroupName
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 09cd2e5d37..e97c3ebf6e 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -19,9 +19,9 @@ Use TabletMode to configure settings related to tablet mode.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | ✔️ | | |
## ConvertibleSlateModePromptPreference
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index b7d826ac98..f9f3708a13 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -19,13 +19,13 @@ Use TakeATest to configure the Take A Test app, a secure browser for test-taking
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | |
## AllowScreenMonitoring
-When set to True, students are able to record and take screen captures in the Take A Test app.
+When set to True, students can record and take screen captures in the Take A Test app.
## AllowTextSuggestions
@@ -43,9 +43,8 @@ When set to True, students can print in the Take A Test app.
Enter the account to use when taking a test.
-To specify a domain account, enter **domain\user**. To specify an AAD account, enter username@tenant.com. To specify a local account, enter the username.
+To specify a domain account, enter **domain\user**. To specify an Azure AD account, enter `username@tenant.com`. To specify a local account, enter the username.
-
-## Related topics
+## Related articles
- [SecureAssessment configuration service provider (CSP)](/windows/client-management/mdm/secureassessment-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-textinput.md b/windows/configuration/wcd/wcd-textinput.md
deleted file mode 100644
index c5508b901f..0000000000
--- a/windows/configuration/wcd/wcd-textinput.md
+++ /dev/null
@@ -1,209 +0,0 @@
----
-title: TextInput (Windows 10)
-description: This section describes the TextInput settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.date: 09/15/2017
-ms.reviewer:
-manager: dansimp
----
-
-# TextInput (Windows Configuration Designer reference)
-
-Use TextInput settings to configure text intelligence and keyboard for mobile devices.
-
-## Applies to
-
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| Intelligence > DisablePredictions | | X | | | |
-| PreEnabledKeyboard | | X | | | |
-
-## Intelligence
-
-Set **DisablePredictions** to the locale or alternative input language that must have the text intelligence features disabled. For example, to disable text correction and suggestions for English (UK), set the value of **DisablePredictions** to `en-gb`.
-
-## PreEnabledKeyboard
-
-In addition to the automatically-enabled default keyboard, OEMs may choose to pre-enable more keyboards for a particular market.
-
-During phone bring-up, OEMs must set the boot locale, or default locale, for the phone. During first boot, Windows Phone reads the locale setting and automatically enables a default keyboard based on the locale to keyboard mapping table in Set languages and locales.
-
-The mapping works for almost all regions and additional customizations are not needed unless specified in the pre-enabled keyboard column in Set languages and locales. If an OEM chooses to pre-enable more keyboards for a particular market, they can do so by specifying the setting. Pre-enabled keyboards will automatically be enabled during boot. Microsoft recommends that partners limit the number of pre-enabled keyboards to those languages that correspond to the languages spoken within the market.
-
-
-PreEnabledKeyboard must be entered once for each keyboard you want to pre-enable. As shown below, the format to specify a particular keyboard must be: Locale code.Locale value. See the following table for more information on the locale codes and values that you can use. The setting Value must be set to 1 to enable the keyboard.
-
-The following table shows the values that you can use for the Locale code.Locale value part of the setting name.
-
->[!NOTE]
->The keyboards for some locales require additional language model files: am-ET, bn-IN, gu-IN, hi-IN, ja-JP, kn-IN, ko-KR, ml-IN, mr-IN, my-MM, or-IN, pa-IN, si-LK, ta-IN, te-IN, zh-TW, zh-CN, and zh-HK.
-
-
-Name | Locale code | Keyboard layout value
---- | --- | ---
-Afrikaans (South Africa) | af-ZA | 1
-Albanian | sq-AL | 1
-Amharic | am-ET | 1
-Arabic | ar-SA | 1
-Armenian | hy-AM | 1
-Assamese - INSCRIPT | as-IN | 1
-Azerbaijani (Cyrillic) | az-Cyrl-AZ | 1
-Azerbaijani (Latin) | az-Latn-AZ | 1
-Bangla (Bangladesh) - 49 key | bn-BD | 1
-Bangla (India) - INSCRIPT |bn-IN|1
-Bangla (India) - Phonetic|bn-IN|2
-Bashkir|ba-RU|1
-Basque|eu-ES|1
-Belarusian|be-BY|1
-Bosnian (Cyrillic)|bs-Cyrl-BA|1
-Bosnian (Latin)|bs-Latn-BA|1
-Bulgarian|bg-BG|1
-Catalan|ca-ES|1
-Central Kurdish|ku-Arab-IQ|1
-Cherokee|chr-Cher-US|1
-Chinese Simplified QWERTY|zh-CN|1
-Chinese Simplified - 12-key|zh-CN|2
-Chinese Simplified - Handwriting|zh-CN|3
-Chinese Simplified - Stroke|zh-CN|4
-Chinese Traditional (Hong Kong SAR) - Cangjie|zh-HK|1
-Chinese Traditional (Hong Kong SAR) - Quick|zh-HK|2
-Chinese Traditional (Hong Kong SAR) - Stroke|zh-HK|3
-Chinese Traditional (Taiwan) - BoPoMoFo|zh-TW|1
-Chinese Traditional (Taiwan) - Handwriting|zh-TW|2
-Croatian|hr-HR|1
-Czech|cs-CZ|1
-Danish|da-DK|1
-Divehi|dv-MV|1
-Dutch (Belgium)|nl-BE|1
-Dutch (Netherlands)|nl-NL|1
-Dzongkha|dz-BT|1
-English (Australia)|en-AU|1
-English (Canada)|en-CA|1
-English (India)|en-IN|1
-English (Ireland)|en-IE|1
-English (United Kingdom)|en-GB|1
-English (United States)|en-US|1
-Estonian|et-EE|1
-Faroese|fo-FO|1
-Filipino|fil-PH|1
-Finnish|fi-FI|1
-French (Belgium)|fr-BE|1
-French (Canada)|fr-CA|1
-French (France)|fr-FR|1
-French (Switzerland)|fr-CH|1
-Galician|gl-ES|1
-Georgian|ka-GE|1
-German (Germany)|de-DE|1
-German (Switzerland)|de-CH|1
-Greek|el-GR|1
-Greenlandic|kl-GL|1
-Guarani|gn-PY|1
-Gujarati - INSCRIPT|gu-IN|1
-Gujarati - Phonetic|gu-IN|2
-Hausa|ha-Latn-NG|1
-Hebrew|he-IL|1
-Hindi - 37-key|hi-IN|1
-Hindi - INSCRIPT|hi-IN|3
-Hindi - Phonetic|hi-IN|2
-Hinglish|hi-Latn|1
-Hungarian|hu-HU|1
-Icelandic|is-IS|1
-Igbo|ig-NG|1
-Indonesian|id-ID|1
-Inuktitut - Latin|iu-Latn-CA|1
-Irish|ga-IE|1
-Italian|it-IT|1
-Japanese - 12-key|ja-JP|1
-Japanese - QWERTY|ja-JP|2
-Kannada - INSCRIPT|kn-IN|1
-Kannada - Phonetic|kn-IN|2
-Kazakh|kk-KZ|1
-Khmer|km-KH|1
-Kinyarwanda|rw-RW|1
-Kiswahili|sw-KE|1
-Konkani|kok-IN|1
-Korean - 12-key Chunjiin|ko-KR|2
-Korean - 12-key Naratgeul|ko-KR|3
-Korean - 12-key Sky|ko-KR|4
-Korean - QWERTY|ko-KR|1
-Kyrgyz|ky-KG|1
-Lao|lo-LA|1
-Latvian|lv-LV|1
-Lithuanian|lt-LT|1
-Luxembourgish|lb-LU|1
-Macedonian|mk-MK|1
-Malay (Brunei Darussalam)|ms-BN|1
-Malay (Malaysia)|ms-MY|1
-Malayalam - INSCRIPT|ml-IN|1
-Malayalam - Phonetic|ml-IN|2
-Maltese|mt-MT|1
-Maori|mi-NZ|1
-Marathi - INSCRIPT|mr-IN|1
-Marathi - Phonetic|mr-IN|2
-Mongolian - Cyrillic|mn-MN|1
-Mongolian - Traditional Mongolian|mn-Mong-CN|1
-Myanmar|my-MM|1
-Nepali|ne-NP|1
-Norwegian - Bokmal|nb-NO|1
-Norwegian - Nynorsk|ny-NO|1
-Odia - INSCRIPT|or-IN|1
-Odia - Phonetic|or-IN|2
-Pashto|ps-AF|1
-Persian|fa-IR|1
-Polish|pl-PL|1
-Portuguese (Brazil)|pt-BR|1
-Portuguese (Portugal)|pt-PT|1
-Punjabi - INSCRIPT|pa-IN|1
-Punjabi - Phonetic|pa-IN|2
-Romanian|ro-RO|1
-Romansh|rm-CH|1
-Russian|ru-RU|1
-Sakha|sah-RU|1
-Sami, Northern (Norway)|se-NO|1
-Sami, Northern (Sweden)|se-NO|1
-Scottish Gaelic|gd-GB|1
-Serbian - Cyrillic|sr-Cyrl-RS|1
-Serbian - Latin|sr-Latn-RS|1
-Sesotho sa Leboa|nso-ZA|1
-Setswana|tn-ZA|1
-Sinhala|si-LK|1
-Slovak|sk-SK|1
-Slovenian|sl-SI|1
-Sorbian, Upper|hsb-DE|1
-Spanish (Mexico)|es-MX|1
-Spanish (Spain)|es-ES|1
-Swedish|sv-SE|1
-Syriac|syr-SY|1
-Tajik|tg-Cyrl-TJ|1
-Tamazight (Central Atlas) - Tifinagh|tzm-Tfng-MA|1
-Tamazight (Central Atlas) - Latin|tzm-Latn-DZ|1
-Tamil - INSCRIPT|ta-IN|1
-Tamil - Phonetic|ta-IN|2
-Tatar|tt-RU|1
-Telugu - INSCRIPT|te-IN|1
-Telugu - Phonetic|te-IN|2
-Thai|th-TH|1
-Tibetan|bo-CN|1
-Turkish|tr-TR|1
-Turkmen|tk-TM|1
-Ukrainian|uk-UA|1
-Urdu|ur-PK|1
-Uyghur|ug-CN|1
-Uzbek - Cyrillic|uz-Cyrl-UZ|1
-Uzbek - Latin|uz-Latn-UZ|1
-Valencian|ca-ES-valencia|1
-Vietnamese - QWERTY|vi-VN|1
-Vietnamese - TELEX|vi-VN|2
-Vietnamese - VNI|vi-VN|3
-Welsh|cy-GB|1
-Wolof|N/A|1
-Xhosa|xh-ZA|1
-Yoruba|yo-NG|1
-Zulu|zu-ZA|1
-
diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md
deleted file mode 100644
index 7dc40af968..0000000000
--- a/windows/configuration/wcd/wcd-theme.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Theme (Windows 10)
-description: This section describes the Theme settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.topic: article
-ms.reviewer:
-manager: dansimp
----
-
-# Theme (reference)
-
-Use Theme to configure accent and background colors on Windows 10 Mobile.
-
-## Applies to
-
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | X | | | |
-
-## DefaultAccentColor
-
-In the dropdown menu for DefaultAccentColor, select from the list of colors. The accent color is used for the background of the start tiles, some text, the progress indicator, the user’s My Phone web site, and so on.
-
-
-## DefaultBackgroundColor
-
-Select between **Light** and **Dark** for theme.
-
-
-## Related topics
-
-- [Themes and accent colors](/previous-versions//dn772323(v=vs.85))
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md
index 6294abea3e..259df9fdd1 100644
--- a/windows/configuration/wcd/wcd-time.md
+++ b/windows/configuration/wcd/wcd-time.md
@@ -17,9 +17,9 @@ Use **Time** to configure settings for time zone setup for Windows 10, version (
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [ProvisionSetTimeZone](#provisionsettimezone) | X | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [ProvisionSetTimeZone](#provisionsettimezone) | ✔️ | | | |
## ProvisionSetTimeZone
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index c4e5aebefe..c5586d1c3a 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -15,14 +15,22 @@ manager: dansimp
# UnifiedWriteFilter (reference)
-Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF) in your device to help protect your physical storage media, including most standard writable storage types that are supported by the OS, such as physical hard disks, solidate-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writeable volume.
+Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF). It helps protect your physical storage media, including most standard writable storage types that are supported by the OS, such as:
+
+- Physical hard disks
+- Solidate-state drives
+- Internal USB devices
+- External SATA devices
+- And so on
+
+You can also use UWF to make read-only media appear to the OS as a writeable volume.
>[!IMPORTANT]
->You cannot use UWF to protect external USB devices or flash drives.
+>You can't use UWF to protect external USB devices or flash drives.
-UWF intercepts all write attempts to a protected volume and redirects those write attempts to a virtual overlay. This improves the reliability and stability of your device and reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
+UWF intercepts all write attempts to a protected volume and redirects these write attempts to a virtual overlay. This feature improves the reliability and stability of your device. It also reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
-The overlay does not mirror the entire volume, but dynamically grows to keep track of redirected writes. Generally the overlay is stored in system memory, although you can cache a portion of the overlay on a physical volume.
+The overlay doesn't mirror the entire volume. It dynamically grows to keep track of redirected writes. Generally, the overlay is stored in system memory. You can cache a portion of the overlay on a physical volume.
>[!NOTE]
>UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume.
@@ -32,9 +40,9 @@ The overlay does not mirror the entire volume, but dynamically grows to keep tra
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | | | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️ | | | ✔️ |
## FilterEnabled
@@ -42,9 +50,9 @@ Set to **True** to enable UWF.
## OverlayFlags
-OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not be redirected to the overlay file. Enabling this setting helps conserve space on the overlay file.
+OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not redirect to the overlay file. Enabling this setting helps conserve space on the overlay file.
-- Value `0` (default value when [OverlayType](#overlaytype) is not **Disk**): writes are redirected to the overlay file
+- Value `0` (default value when [OverlayType](#overlaytype) isn't **Disk**): writes are redirected to the overlay file
- Value `1`(default value when [OverlayType](#overlaytype) is **Disk**): writes to unused space on the volume are allowed to pass through without being redirected to the overlay file.
## OverlaySize
@@ -60,7 +68,7 @@ OverlayType specifies where the overlay is stored. Select between **RAM** (defau
## RegistryExclusions
-You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts.
+You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering. They're written directly to the registry and persist after the device restarts.
Use **Add** to add a registry entry to the exclusion list after you restart the device.
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index f935eeb700..0822937da4 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -22,17 +22,17 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [DeviceContextApp](#devicecontextapp) | X | | X | | |
-| [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | |
-| [StoreInstall](#storeinstall) | X | X | X | | X |
-| [UserContextApp](#usercontextapp) | X | X | X | | X |
-| [UserContextAppLicense](#usercontextapplicense) | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [DeviceContextApp](#devicecontextapp) | ✔️ | ✔️ | | |
+| [DeviceContextAppLicense](#devicecontextapplicense) | ✔️ | ✔️ | | |
+| [StoreInstall](#storeinstall) | ✔️ | ✔️ | | ✔️ |
+| [UserContextApp](#usercontextapp) | ✔️ | ✔️ | | ✔️ |
+| [UserContextAppLicense](#usercontextapplicense) | ✔️ | ✔️ | | ✔️ |
## DeviceContextApp
-Enter an app package family name to install an app for all users of the device. You can use the [Get-AppxPackage cmdlet](/powershell/module/appx/get-appxpackage) to get the package family name for an installed app.
+Enter an app package family name to install an app for all device users. You can use the [Get-AppxPackage cmdlet](/powershell/module/appx/get-appxpackage) to get the package family name for an installed app.
>[!NOTE]
>For XAP files, enter the product ID.
@@ -41,11 +41,11 @@ For each app that you add to the package, configure the settings in the followin
| Setting | Value | Description |
| --- | --- | --- |
-| ApplicationFile | .appx or .appxbundle | Set the value to the app file that you want to install on the device. In addition, you must also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
-| DependencyAppxFiles | any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
-| DeploymentOptions | - None-Force application shutdown: If this package, or any package that depends on this package, is currently in use, the processes associated with the package are shut down forcibly so that registration can continue- Development mode: do not use- Install all resources: When you set ths option, the app is instructed to skip resource applicability checks.- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
-| LaunchAppAtLogin | - Do not launch app- Launch app | Set the value for app behavior when a user signs in. |
-| OptionalPackageFiles | additional files required by the package | Browse to, select, and add the optional package files. |
+| ApplicationFile | `.appx` or `.appxbundle` | Set the value to the app file that you want to install on the device. Also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
+| DependencyAppxFiles | Any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
+| DeploymentOptions | - None-Force application shutdown: If this package, or any package that depends on this package is currently in use, then the processes associated with the package are forcibly shut down. The registration can continue. - Development mode: Don't use. - Install all resources: When you set this option, the app is instructed to skip resource applicability checks.- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
+| LaunchAppAtLogin | - Don't launch app- Launch app | Set the value for app behavior when a user signs in. |
+| OptionalPackageFiles | Additional files required by the package | Browse to, select, and add the optional package files. |
For more information on deployment options, see [DeploymentOptions Enum](/uwp/api/windows.management.deployment.deploymentoptions).
@@ -53,7 +53,7 @@ For more information on deployment options, see [DeploymentOptions Enum](/uwp/ap
Use to specify the license file for the provisioned app.
-1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
+1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. For example, enter `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and select **Add**.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
@@ -62,7 +62,7 @@ Use to specify the license file for the provisioned app.
Use to install an app from the Microsoft Store for Business.
-1. Enter a package family name, and then click **Add**.
+1. Enter a package family name, and then select **Add**.
2. Configure the following required settings for the app package.
Setting | Description
@@ -75,21 +75,21 @@ SkuID | Enter the SKU ID. [Learn how to find the SKU ID.](/microsoft-store/micro
Use to add a new user context app.
-1. Specify a **PackageFamilyName** for the app, and then click **Add**.
+1. Specify a **PackageFamilyName** for the app, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then configure the following settings.
Setting | Value | Description
--- | --- | ---
-ApplicationFile | app file | Browse to, select, and add the application file,
-DependencyAppxFiles | additional files required by the app | Browse to, select, and add dependency files.
+ApplicationFile | App file | Browse to, select, and add the application file,
+DependencyAppxFiles | Additional files required by the app | Browse to, select, and add dependency files.
DeploymentOptions | - None- Force application shutdown- Development mode- Install all resources- Force target application shutdown | Select a deployment option.
-LaunchAppAtLogin | - Do not launch app- Launch app | Select whether the app should be started when a user signs in.
+LaunchAppAtLogin | - Don't launch app- Launch app | Select whether the app should be started when a user signs in.
## UserContextAppLicense
Use to specify the license file for the user context app.
-1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
+1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. For example, enter `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and select **Add**.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 35204ca772..625891ae05 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -20,23 +20,23 @@ Use UniversalAppUninstall settings to uninstall or remove Windows apps.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [RemoveProvisionedApp](#removeprovisionedapp) | X | | | | |
-| [Uninstall](#uninstall) | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [RemoveProvisionedApp](#removeprovisionedapp) | ✔️ | | | |
+| [Uninstall](#uninstall) | ✔️ | ✔️ | | ✔️ |
## RemoveProvisionedApp
-Universal apps can be *provisioned*, which means that they are available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
+Universal apps can be *provisioned*. Provisioned means that they're available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
-Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user are not uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
+Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user aren't uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
-1. Enter the PackageFamilyName for the app package, and then click **Add**.
+1. Enter the PackageFamilyName for the app package, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then select **RemoveProvisionedApp**.
## Uninstall
Use **Uninstall** to remove provisioned apps that have been installed by a user.
-1. Enter the PackageFamilyName for the app package, and then click **Add**.
+1. Enter the PackageFamilyName for the app package, and then select **Add**.
2. Select the PackageFamilyName in the Available Customizations pane, and then select **Uninstall**.
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index d551248370..3eb9975d01 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -20,9 +20,9 @@ Allows an OEM to hide the USB option UI in Settings and all USB device errors.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | X | X | X | X | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✔️ | ✔️ | ✔️ | |
## HideUsbErrorNotifyOptionUI
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index a8cd376714..ce9f3ab265 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -20,10 +20,10 @@ Use WeakCharger settings to configure the charger notification UI.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | X | X | X | | |
-| [NotifyOnWeakCharger](#notifyonweakcharger) | X | X | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✔️ | ✔️ | | |
+| [NotifyOnWeakCharger](#notifyonweakcharger) | ✔️ | ✔️ | | |
## HideWeakChargerNotifyOptionUI
@@ -34,12 +34,15 @@ Select between **Show Weak Charger Notifications UI** and **Hide Weak Charger No
## NotifyOnWeakCharger
-This setting displays a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge or may not charge at all with the current charging source.
+This setting shows a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge. Or, it may not charge at all.
+
+An incompatible charging source is one that doesn't behave like one of the following port types:
-An incompatible charging source is one that does not behave like one of the following port types as defined by the USB Battery Charging Specification, Revision 1.2, available on the USB.org website:
- Charging downstream port
- Standard downstream port
- Dedicated charging port
+The port types are defined by the USB Battery Charging Specification, Revision 1.2, available at `USB.org`.
+
Select between **Disable Weak Charger Notifications UI** and **Enable Weak Charger Notifications UI**.
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index c1dd26f101..fc0d8fbd54 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -15,17 +15,17 @@ manager: dansimp
# WindowsHelloForBusiness (Windows Configuration Designer reference)
-Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md).
+Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to a Windows device configured for [Shared PC mode](wcd-sharedpc.md).
## Applies to
-| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [SecurityKeys](#securitykeys) | X | | | | |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [SecurityKeys](#securitykeys) | ✔️ | | | |
## SecurityKeys
-Select the desired value:
+Select the value:
-- `0`: security keys for Windows Hello are disabled.
-- `1`: security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md).
+- `0`: Security keys for Windows Hello are disabled.
+- `1`: Security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md).
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index dcefc054fd..9307518bf1 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -20,33 +20,33 @@ Use WindowsTeamSettings settings to configure Surface Hub.
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | X | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | ✔️ | | |
## Connect
| Setting | Value | Description |
| --- | --- | --- |
| AutoLaunch | True or false | Open the Connect app automatically when someone projects. |
-| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). |
+| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver won't boot. Or, it will broadcast on the wrong channel, which senders won't be looking for. |
| Enabled | True or false | Enables wireless projection to the device. |
| PINRequired | True or false | Requires presenters to enter a PIN to connect wirelessly to the device. |
## DeviceAccount
-A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device.
+A device account is a Microsoft Exchange account that's connected with Skype for Business. It allows people to join scheduled meetings, make Skype for Business calls, and share content from the device.
| Setting | Value | Description |
| --- | --- | --- |
| CalendarSyncEnabled | True or false | Specifies whether calendar sync and other Exchange Server services are enabled. |
-| DomainName | Domain of the device account when you are using Active Directory | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account. |
+| DomainName | Domain of the device account when using Active Directory | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account. |
| Email | Email address | Email address of the device account. |
| ExchangeServer | Exchange Server | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails. |
| Password | Password | Password for the device account. |
-| PasswordRotationEnabled | 0 = enabled1 = disabled | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD. |
+| PasswordRotationEnabled | 0 = enabled1 = disabled | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD. |
| SipAddress | Session Initiation Protocol (SIP) address | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails. |
-| UserName | User name | Username of the device account when you are using Active Directory. |
+| UserName | User name | Username of the device account when using Active Directory. |
| UserPrincipalName | User principal name (UPN) | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. |
| ValidateAndCommit | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. |
@@ -62,11 +62,11 @@ Enter the name that users will see when they want to project wirelessly to the d
## MaintenanceHours
-Maintenance hours are the period of time during which automatic maintenance tasks are performed.
+Maintenance hours are the period of time when automatic maintenance tasks are run.
| Setting | Value | Description |
| --- | --- | --- |
-| Duration | Duration in minutes. For example, to set a 3-hour duration, set this value to 180. | The amount of time the device will be in maintenance, when the device will continue to download or install updates. |
+| Duration | Duration in minutes. For example, to set a three hour duration, set this value to 180. | The amount of time the device will be in maintenance, when the device will continue to download or install updates. |
| StartTime | Start time in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120 | Start time for when device is allowed to start downloading and installing updates. |
## OMSAgent
@@ -75,7 +75,7 @@ Configures the Operations Management Suite workspace.
| Setting | Value | Description |
| --- | --- | --- |
-| WorkspaceID | GUID | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. |
+| WorkspaceID | GUID | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this value to an empty string to disable the MOM agent. |
| WorkspaceKey | Key | Primary key for authenticating with the workspace. |
## Properties
@@ -85,7 +85,7 @@ Configures the Operations Management Suite workspace.
| AllowAutoProxyAuth | True or false | Specifies if the Surface Hub can use the device account to authenticate into proxy servers requiring authentication. |
| AllowSessionResume | True or false | Specifies if users are allowed to resume their session after session timeout. |
| DefaultVolume | Numeric value between 0 and 100 | Default speaker volume. Speaker volume will be set to this value at every session startup. |
-| DisableSigninSuggestions | True or false | Specifies if the Surface Hub will not show suggestions when users try to sign in to see their meetings and files. |
+| DisableSigninSuggestions | True or false | Specifies if the Surface Hub won't show suggestions when users try to sign in to see their meetings and files. |
| DoNotShowMyMeetingsAndFiles | True or false | Specifies if users can sign in and have full access to personal meetings and most recently used documents. |
| ScreenTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will turn off its screen. |
| SessionTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will time out the current session and return to the welcome screen. |
@@ -105,6 +105,6 @@ Configures the Operations Management Suite workspace.
| CurrentBackgroundPath | Https URL to a PNG file | Background image for the welcome screen. |
| MeetingInfoOption | 0 = organizer and time only1 = organizer, time, and subject (subject is hidden for private meetings) | Specifies whether meeting information is displayed on the welcome screen. |
-## Related topics
+## Related articles
- [SurfaceHub configuration service provider (CSP)](/windows/client-management/mdm/surfacehub-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index 2a746063eb..8b931bc90a 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -20,7 +20,7 @@ Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connecti
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | | | | | |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | | | | |
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index 7d4431413d..e810f28679 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -20,13 +20,13 @@ Use Workplace settings to configure bulk user enrollment to a mobile device mana
## Applies to
-| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [Enrollments](#enrollments) | X | X | X | | X |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [Enrollments](#enrollments) | ✔️ | ✔️ | | ✔️ |
## Enrollments
-Select **Enrollments**, enter a UPN, and then click **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this must a service account that is allowed to enroll multiple users. Example, "generic-device@contoso.com"
+Select **Enrollments**, enter a UPN, and then select **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this value must be a service account that's allowed to enroll multiple users. For example, use `generic-device@contoso.com`.
| Settings | Value | Description |
| --- | --- | --- |
@@ -34,8 +34,8 @@ Select **Enrollments**, enter a UPN, and then click **Add** to configure the set
| DiscoveryServiceFullUrl | URL | The full URL for the discovery service |
| EnrollmentServiceFullUrl | URL | The full URL for the enrollment service |
| PolicyServiceFullUrl | URL | The full URL for the policy service |
-| Secret | - Password string for on-premises authentication enrollment- Federated security token for federated enrollment- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy |
+| Secret | - Password string for on-premises authentication enrollment- Federated security token for federated enrollment- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy. |
-## Related topics
+## Related articles
- [Provisioning configuration service provider (CSP)](/windows/client-management/mdm/provisioning-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index f1e1091bc6..952a247ff3 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -18,74 +18,58 @@ This section describes the settings that you can configure in [provisioning pack
## Edition that each group of settings applies to
-| Setting group | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-[AccountManagement](wcd-accountmanagement.md) | | | | X | |
-| [Accounts](wcd-accounts.md) | X | X | X | X | X |
-| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
-| [AssignedAccess](wcd-assignedaccess.md) | X | | | X | |
-| [AutomaticTime](wcd-automatictime.md) | | X | | | |
-| [Browser](wcd-browser.md) | X | X | X | | |
-| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | |
-| [Calling](wcd-calling.md) | | X | | | |
-| [CellCore](wcd-cellcore.md) | X | X | | | |
-| [Cellular](wcd-cellular.md) | X | | | | |
-| [Certificates](wcd-certificates.md) | X | X | X | X | X |
-| [CleanPC](wcd-cleanpc.md) | X | | | | |
-| [Connections](wcd-connections.md) | X | X | X | | |
-| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | |
-| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | | |
-| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | |
-| [DeveloperSetup](wcd-developersetup.md) | | | | X | |
-| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | | |
-| [DeviceInfo](wcd-deviceinfo.md) | | X | | | |
-| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | |
-| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | X | | | | |
-| [DMClient](wcd-dmclient.md) | X | X | X | | X |
-| [EditionUpgrade](wcd-editionupgrade.md) | X | X | | X | |
-| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | X | | | |
-| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X |
-| [FirstExperience](wcd-firstexperience.md) | | | | X | |
-| [Folders](wcd-folders.md) |X | X | X | | |
-| [InitialSetup](wcd-initialsetup.md) | | X | | | |
-| [InternetExplorer](wcd-internetexplorer.md) | | X | | | |
-| [KioskBrowser](wcd-kioskbrowser.md) | | | | | X |
-| [Licensing](wcd-licensing.md) | X | | | | |
-| [Location](wcd-location.md) | | | | | X |
-| [Maps](wcd-maps.md) |X | X | X | | |
-| [Messaging](wcd-messaging.md) | | X | | | |
-| [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | |
-| [Multivariant](wcd-multivariant.md) | | X | | | |
-| [NetworkProxy](wcd-networkproxy.md) | | | X | | |
-| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | | X | | |
-| [NFC](wcd-nfc.md) | | X | | | |
-| [OOBE](wcd-oobe.md) | X | X | | | |
-| [OtherAssets](wcd-otherassets.md) | | X | | | |
-| [Personalization](wcd-personalization.md) | X | | | | |
-| [Policies](wcd-policies.md) | X | X | X | X | X |
-| [Privacy](wcd-folders.md) |X | X | X | | X |
-| [ProvisioningCommands](wcd-provisioningcommands.md) | X | | | | |
-| [RcsPresence](wcd-rcspresence.md) | | X | | | |
-| [SharedPC](wcd-sharedpc.md) | X | | | | |
-| [Shell](wcd-shell.md) | | X | | | |
-| [SMISettings](wcd-smisettings.md) | X | | | | |
-| [Start](wcd-start.md) | X | X | | | |
-| [StartupApp](wcd-startupapp.md) | | | | | X |
-| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X |
-| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |X | X | X | | X |
-| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | |
-| [TabletMode](wcd-tabletmode.md) |X | X | X | | |
-| [TakeATest](wcd-takeatest.md) | X | | | | |
-| [TextInput](wcd-textinput.md) | | X | | | |
-| [Theme](wcd-theme.md) | | X | | | |
-| [Time](wcd-time.md) | X | | | | |
-| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | X |
-| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | | X |
-| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | | X |
-| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | X | X | X | | |
-| [WeakCharger](wcd-weakcharger.md) |X | X | X | | |
-| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | X | | | | |
-| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | |
-| [Workplace](wcd-workplace.md) |X | X | X | | X |
-
+| Setting group | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| [AccountManagement](wcd-accountmanagement.md) | | | ✔️ | |
+| [Accounts](wcd-accounts.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ADMXIngestion](wcd-admxingestion.md) | ✔️ | | | |
+| [AssignedAccess](wcd-assignedaccess.md) | ✔️ | | ✔️ | |
+| [Browser](wcd-browser.md) | ✔️ | ✔️ | | |
+| [CellCore](wcd-cellcore.md) | ✔️ | | | |
+| [Cellular](wcd-cellular.md) | ✔️ | | | |
+| [Certificates](wcd-certificates.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [CleanPC](wcd-cleanpc.md) | ✔️ | | | |
+| [Connections](wcd-connections.md) | ✔️ | ✔️ | | |
+| [ConnectivityProfiles](wcd-connectivityprofiles.md) | ✔️ | ✔️ | ✔️ | |
+| [CountryAndRegion](wcd-countryandregion.md) | ✔️ | ✔️ | | |
+| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | ✔️ | | | |
+| [DeveloperSetup](wcd-developersetup.md) | | | ✔️ | |
+| [DeviceFormFactor](wcd-deviceformfactor.md) | ✔️ | ✔️ | | |
+| [DeviceManagement](wcd-devicemanagement.md) | ✔️ | ✔️ | ✔️ | |
+| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | ✔️ | | | |
+| [DMClient](wcd-dmclient.md) | ✔️ | ✔️ | | ✔️ |
+| [EditionUpgrade](wcd-editionupgrade.md) | ✔️ | | ✔️ | |
+| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | | | |
+| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | ✔️ |
+| [FirstExperience](wcd-firstexperience.md) | | | ✔️ | |
+| [Folders](wcd-folders.md) |✔️ | ✔️ | | |
+| [KioskBrowser](wcd-kioskbrowser.md) | | | | ✔️ |
+| [Licensing](wcd-licensing.md) | ✔️ | | | |
+| [Location](wcd-location.md) | | | | ✔️ |
+| [Maps](wcd-maps.md) |✔️ | ✔️ | | |
+| [NetworkProxy](wcd-networkproxy.md) | | ✔️ | | |
+| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | ✔️ | | |
+| [OOBE](wcd-oobe.md) | ✔️ | | | |
+| [Personalization](wcd-personalization.md) | ✔️ | | | |
+| [Policies](wcd-policies.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Privacy](wcd-folders.md) |✔️ | ✔️ | | ✔️ |
+| [ProvisioningCommands](wcd-provisioningcommands.md) | ✔️ | | | |
+| [SharedPC](wcd-sharedpc.md) | ✔️ | | | |
+| [SMISettings](wcd-smisettings.md) | ✔️ | | | |
+| [Start](wcd-start.md) | ✔️ | | | |
+| [StartupApp](wcd-startupapp.md) | | | | ✔️ |
+| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | ✔️ |
+| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |✔️ | ✔️ | | ✔️ |
+| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | ✔️ | | |
+| [TabletMode](wcd-tabletmode.md) |✔️ | ✔️ | | |
+| [TakeATest](wcd-takeatest.md) | ✔️ | | | |
+| [Time](wcd-time.md) | ✔️ | | | |
+| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | ✔️ | | | ✔️ |
+| [UniversalAppInstall](wcd-universalappinstall.md) | ✔️ | ✔️ | | ✔️ |
+| [UniversalAppUninstall](wcd-universalappuninstall.md) | ✔️ | ✔️ | | ✔️ |
+| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | ✔️ | ✔️ | | |
+| [WeakCharger](wcd-weakcharger.md) |✔️ | ✔️ | | |
+| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | ✔️ | | | |
+| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | ✔️ | | |
+| [Workplace](wcd-workplace.md) |✔️ | ✔️ | | ✔️ |
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 8daccb955a..0785a4e3d4 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -15,9 +15,8 @@
href: update/quality-updates.md
- name: Basics of Windows updates, channels, and tools
href: update/get-started-updates-channels-tools.md
- - name: Servicing the Windows 10 operating system
+ - name: Prepare servicing strategy for Windows client updates
href: update/waas-servicing-strategy-windows-10-updates.md
-
- name: Deployment proof of concept
items:
- name: Demonstrate Autopilot deployment on a VM
@@ -47,13 +46,13 @@
href: update/plan-determine-app-readiness.md
- name: Define your servicing strategy
href: update/plan-define-strategy.md
- - name: Delivery Optimization for Windows 10 updates
+ - name: Delivery Optimization for Windows client updates
href: update/waas-delivery-optimization.md
items:
- name: Using a proxy with Delivery Optimization
href: update/delivery-optimization-proxy.md
- - name: Best practices for feature updates on mission-critical devices
- href: update/feature-update-mission-critical.md
+ - name: Delivery Optimization client-service communication
+ href: update/delivery-optimization-workflow.md
- name: Windows 10 deployment considerations
href: planning/windows-10-deployment-considerations.md
- name: Windows 10 infrastructure requirements
@@ -77,15 +76,15 @@
items:
- name: Prepare for Windows 11
href: /windows/whats-new/windows-11-prepare
- - name: Prepare to deploy Windows 10 updates
+ - name: Prepare to deploy Windows client updates
href: update/prepare-deploy-windows.md
- name: Evaluate and update infrastructure
href: update/update-policies.md
- name: Update Baseline
href: update/update-baseline.md
- - name: Set up Delivery Optimization for Windows 10 updates
+ - name: Set up Delivery Optimization for Windows client updates
href: update/waas-delivery-optimization-setup.md
- - name: Configure BranchCache for Windows 10 updates
+ - name: Configure BranchCache for Windows client updates
href: update/waas-branchcache.md
- name: Prepare your deployment tools
items:
@@ -95,8 +94,6 @@
href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
- name: Build a successful servicing strategy
items:
- - name: Build deployment rings for Windows 10 updates
- href: update/waas-deployment-rings-windows-10-updates.md
- name: Check release health
href: update/check-release-health.md
- name: Prepare updates using Windows Update for Business
@@ -119,7 +116,7 @@
- name: Replace a device
href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
- name: In-place upgrade
- href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
+ href: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
- name: Deploy Windows client with MDT
items:
- name: Deploy to a new device
@@ -132,15 +129,15 @@
href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
- name: Subscription Activation
items:
- - name: Windows 10 Subscription Activation
+ - name: Windows 10/11 Subscription Activation
href: windows-10-subscription-activation.md
- - name: Windows 10 Enterprise E3 in CSP
+ - name: Windows 10/11 Enterprise E3 in CSP
href: windows-10-enterprise-e3-overview.md
- name: Configure VDA for Subscription Activation
href: vda-subscription-activation.md
- - name: Deploy Windows 10 Enterprise licenses
+ - name: Deploy Windows 10/11 Enterprise licenses
href: deploy-enterprise-licenses.md
- - name: Deploy Windows 10 updates
+ - name: Deploy Windows client updates
items:
- name: Assign devices to servicing channels
href: update/waas-servicing-channels-windows-10-updates.md
@@ -152,22 +149,18 @@
href: update/waas-manage-updates-wsus.md
- name: Deploy updates with Group Policy
href: update/waas-wufb-group-policy.md
- - name: Update Windows 10 media with Dynamic Update
+ - name: Update Windows client media with Dynamic Update
href: update/media-dynamic-update.md
- name: Migrating and acquiring optional Windows content
href: update/optional-content.md
- name: Safeguard holds
href: update/safeguard-holds.md
- - name: Manage the Windows 10 update experience
+ - name: Manage the Windows client update experience
items:
- name: Manage device restarts after updates
href: update/waas-restart.md
- name: Manage additional Windows Update settings
- href: update/waas-wu-settings.md
- - name: Deploy feature updates during maintenance windows
- href: update/feature-update-maintenance-window.md
- - name: Deploy feature updates for user-initiated installations
- href: update/feature-update-user-install.md
+ href: update/waas-wu-settings.md
- name: Use Windows Update for Business
items:
- name: What is Windows Update for Business?
@@ -187,7 +180,7 @@
href: update/waas-wufb-group-policy.md
- name: 'Walkthrough: use Intune to configure Windows Update for Business'
href: update/deploy-updates-intune.md
- - name: Monitor Windows 10 updates
+ - name: Monitor Windows client updates
items:
- name: Monitor Delivery Optimization
href: update/waas-delivery-optimization-setup.md#monitor-delivery-optimization
@@ -215,6 +208,8 @@
href: update/update-compliance-security-update-status.md
- name: Feature update status report
href: update/update-compliance-feature-update-status.md
+ - name: Safeguard holds report
+ href: update/update-compliance-safeguard-holds.md
- name: Delivery Optimization in Update Compliance
href: update/update-compliance-delivery-optimization.md
- name: Data handling and privacy in Update Compliance
@@ -236,7 +231,7 @@
items:
- name: Resolve upgrade errors
items:
- - name: Resolve Windows 10 upgrade errors
+ - name: Resolve Windows client upgrade errors
href: upgrade/resolve-windows-10-upgrade-errors.md
- name: Quick fixes
href: upgrade/quick-fixes.md
@@ -252,7 +247,7 @@
href: upgrade/log-files.md
- name: Resolution procedures
href: upgrade/resolution-procedures.md
- - name: Submit Windows 10 upgrade errors
+ - name: Submit Windows client upgrade errors
href: upgrade/submit-errors.md
- name: Troubleshoot Windows Update
items:
@@ -273,9 +268,9 @@
items:
- name: How does Windows Update work?
href: update/how-windows-update-works.md
- - name: Windows 10 upgrade paths
+ - name: Windows client upgrade paths
href: upgrade/windows-10-upgrade-paths.md
- - name: Windows 10 edition upgrade
+ - name: Windows client edition upgrade
href: upgrade/windows-10-edition-upgrades.md
- name: Deploy Windows 10 with Microsoft 365
href: deploy-m365.md
@@ -287,11 +282,11 @@
href: update/waas-wu-settings.md
- name: Delivery Optimization reference
href: update/waas-delivery-optimization-reference.md
- - name: Windows 10 in S mode
+ - name: Windows client in S mode
href: s-mode.md
- - name: Switch to Windows 10 Pro or Enterprise from S mode
+ - name: Switch to Windows client Pro or Enterprise from S mode
href: windows-10-pro-in-s-mode.md
- - name: Windows 10 deployment tools
+ - name: Windows client deployment tools
items:
- name: Windows client deployment scenarios and tools
items:
@@ -578,5 +573,5 @@
- name: "Appendix: Information sent to Microsoft during activation "
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
- - name: Install fonts in Windows 10
+ - name: Install fonts in Windows client
href: windows-10-missing-fonts.md
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 1101efd400..9b4d7283c3 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -1,10 +1,10 @@
---
-title: Deploy Windows 10 Enterprise licenses
+title: Deploy Windows 10/11 Enterprise licenses
ms.reviewer:
manager: laurawi
ms.audience: itpro
ms.author: greglin
-description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
+description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,18 +16,18 @@ author: greg-lindsay
ms.topic: article
---
-# Deploy Windows 10 Enterprise licenses
+# Deploy Windows 10/11 Enterprise licenses
-This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
->[!NOTE]
->* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
->* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
->* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
->* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing.
+> [!NOTE]
+> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context.
+> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
+> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it does not work on per device based licensing.
->[!IMPORTANT]
->An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
+> [!IMPORTANT]
+> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
>
>Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled".
@@ -50,24 +50,17 @@ If you are an EA customer with an existing Office 365 tenant, use the following
- **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
- **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
-1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
-
-1. The admin can now assign subscription licenses to users.
+2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
+3. The admin can now assign subscription licenses to users.
Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-
2. Click **Subscriptions**.
-
3. Click **Online Services Agreement List**.
-
4. Enter your agreement number, and then click **Search**.
-
5. Click the **Service Name**.
-
6. In the **Subscription Contact** section, click the name listed under **Last Name**.
-
7. Update the contact information, then click **Update Contact Details**. This will trigger a new email.
Also in this article:
@@ -76,9 +69,9 @@ Also in this article:
## Active Directory synchronization with Azure AD
-You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
+You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
-You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
+You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
@@ -91,16 +84,16 @@ For more information about integrating on-premises AD DS domains with Azure AD,
- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
->[!NOTE]
->If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
+> [!NOTE]
+> If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
## Preparing for deployment: reviewing requirements
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
## Assigning licenses to users
-Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
+Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
> [!div class="mx-imgBorder"]
> 
@@ -121,11 +114,11 @@ The following methods are available to assign licenses:
## Explore the upgrade experience
-Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices?
+Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices?
-### Step 1: Join Windows 10 Pro devices to Azure AD
+### Step 1: Join Windows 10/11 Pro devices to Azure AD
-Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
+Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later.
**To join a device to Azure AD the first time the device is started**
@@ -176,16 +169,15 @@ Now the device is Azure AD–joined to the company's subscription.
### Step 2: Pro edition activation
->[!IMPORTANT]
->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
+> [!IMPORTANT]
+> If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
+> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
Figure 7a - Windows 10 Pro activation in Settings
-Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
-
+Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
### Step 3: Sign in using Azure AD account
@@ -197,35 +189,33 @@ Once the device is joined to your Azure AD subscription, the user will sign in b
### Step 4: Verify that Enterprise edition is enabled
-You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
+You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
**Figure 9 - Windows 10 Enterprise subscription in Settings**
+If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
->[!NOTE]
->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
->Name: Windows(R), Professional edition
->Description: Windows(R) Operating System, RETAIL channel
->Partial Product Key: 3V66T
+> [!NOTE]
+> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
+> Name: Windows(R), Professional edition
+> Description: Windows(R) Operating System, RETAIL channel
+> Partial Product Key: 3V66T
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth).
+Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
## Troubleshoot the user experience
-In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
+In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
-
-- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
+- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
diff --git a/windows/deployment/deploy-windows-cm/TOC.yml b/windows/deployment/deploy-windows-cm/TOC.yml
index 06bf59500f..f47a156a14 100644
--- a/windows/deployment/deploy-windows-cm/TOC.yml
+++ b/windows/deployment/deploy-windows-cm/TOC.yml
@@ -25,4 +25,4 @@
- name: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
href: replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
- name: Perform an in-place upgrade to Windows 10 using Configuration Manager
- href: upgrade-to-windows-10-with-configuraton-manager.md
+ href: upgrade-to-windows-10-with-configuration-manager.md
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 43b188d08e..34244e4af1 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -201,7 +201,7 @@ When the process is complete, you will have a new Windows 10 computer in your do
-Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md).
+Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuration-manager.md).
## Related topics
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
similarity index 99%
rename from windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
rename to windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
index da8eb45f78..dc7ae9b53f 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
@@ -135,8 +135,6 @@ On **PC0004**:
-In-place upgrade with Configuration Manager
-
## Related topics
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index 427daf44e9..453515a466 100644
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -3,7 +3,7 @@ title: Assign applications using roles in MDT (Windows 10)
description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer.
ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: settings, database, deploy
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index 06399d410a..c05e2b7c67 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -3,7 +3,7 @@ title: Build a distributed environment for Windows 10 deployment (Windows 10)
description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: replication, replicate, deploy, configure, remote
ms.prod: w10
@@ -62,7 +62,7 @@ On **MDT01**:
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
-2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
+2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
```output
PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
@@ -82,7 +82,7 @@ On **MDT02**:
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
-2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
+2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
```output
PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
index 8741709766..0fb4725b6b 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
@@ -3,7 +3,7 @@ title: Configure MDT deployment share rules (Windows 10)
description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine.
ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: rules, configuration, automate, deploy
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
index 115f42408d..342cec9742 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
@@ -3,7 +3,7 @@ title: Configure MDT for UserExit scripts (Windows 10)
description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: rules, script
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 5259d8bafe..731550645c 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -3,7 +3,7 @@ title: Configure MDT settings (Windows 10)
description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: customize, customization, deploy, features, tools
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 33d92b8cc9..9dd26e0e66 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -3,7 +3,7 @@ title: Create a Windows 10 reference image (Windows 10)
description: Creating a reference image is important because that image serves as the foundation for the devices in your organization.
ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: deploy, deployment, configure, customize, install, installation
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index b6a311471f..9d20892e07 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -3,7 +3,7 @@ title: Deploy a Windows 10 image using MDT (Windows 10)
description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: deployment, automate, tools, configure
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index dc5907ae88..df26acb90f 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -3,7 +3,7 @@ title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: deploy, image, feature, install, tools
ms.prod: w10
@@ -31,6 +31,9 @@ In addition to reducing deployment time and standardizing desktop and server ima
MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/).
+> [!IMPORTANT]
+> For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-).
+
## Key features in MDT
MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 97d1ca6701..186a8fe7bd 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -3,7 +3,7 @@ title: Prepare for deployment with MDT (Windows 10)
description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: deploy, system requirements
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index f1aa143648..57a26f04a9 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -3,7 +3,7 @@ title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: reinstallation, customize, template, script, restore
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index fb7cfe97e1..baa35a0260 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -4,7 +4,7 @@ description: In this article, you will learn how to replace a Windows 7 device w
ms.custom: seo-marvel-apr2020
ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: deploy, deployment, replace
ms.prod: w10
@@ -48,7 +48,7 @@ On **MDT01**:
1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, click **Properties**, and then click the **Rules** tab.
2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
-3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default setttings.
+3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings.
### Create and share the MigData folder
@@ -81,7 +81,7 @@ On **MDT01**:
During a computer replace, these are the high-level steps that occur:
-1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
+1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup.
2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
### Run the replace task sequence
@@ -151,7 +151,7 @@ On **HV01**:
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores the USMT backup from PC0002.
-You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01.
+You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01.
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 8d2743cfa3..64938b8f63 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -2,7 +2,7 @@
title: Set up MDT for BitLocker (Windows 10)
ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT.
keywords: disk, encryption, TPM, configure, secure, script
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index 4ec7b22c9d..d538a02412 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -3,7 +3,7 @@ title: Simulate a Windows 10 deployment in a test environment (Windows 10)
description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT.
ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: deploy, script
ms.prod: w10
@@ -33,7 +33,24 @@ This topic will walk you through the process of creating a simulated environment
On **PC0001**:
1. Sign as **contoso\\Administrator**.
-2. Download the [sample Gather.ps1 script](/samples/browse/?redirectedfrom=TechNet-Gallery) from the TechNet gallery and copy it to a directory named **C:\MDT** on PC0001.
+2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001.
+
+ ```powershell
+ # Check for elevation
+ If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
+ [Security.Principal.WindowsBuiltInRole] "Administrator"))
+ {
+ Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script."
+ Write-Warning "Aborting script..."
+ Break
+ }
+ cls
+ if (Test-Path -Path "C:\MININT") {Write-Host "C:\MININT exists, deleting...";Remove-Item C:\MININT -Recurse}
+ cscript.exe ZTIGather.wsf /debug:true
+ # Optional, comment out if you want the script to open the log in CMTrace
+ & "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log
+ ```
+
3. Download and install the free [Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool.
4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group.
5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**.
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 41cd6d8006..8760205a12 100644
--- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -3,7 +3,7 @@ title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index 48516703b7..600f2dec3e 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -3,7 +3,7 @@ title: Use Orchestrator runbooks with MDT (Windows 10)
description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: web services, database
ms.prod: w10
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 3c191c4712..235c3ecedb 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -3,7 +3,7 @@ title: Use MDT database to stage Windows 10 deployment info (Windows 10)
description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database.
ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
ms.pagetype: mdt
keywords: database, permissions, settings, configure, deploy
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 68336c929b..21536126c8 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -3,7 +3,7 @@ title: Use web services in MDT (Windows 10)
description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: deploy, web apps
ms.prod: w10
diff --git a/windows/deployment/images/mdt-copy-image.png b/windows/deployment/images/mdt-copy-image.png
new file mode 100644
index 0000000000..a5d172def8
Binary files /dev/null and b/windows/deployment/images/mdt-copy-image.png differ
diff --git a/windows/deployment/images/windowsupgradeadditionaloptions.png b/windows/deployment/images/windowsupgradeadditionaloptions.png
new file mode 100644
index 0000000000..4fcdb1dd70
Binary files /dev/null and b/windows/deployment/images/windowsupgradeadditionaloptions.png differ
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 8ad4b1b6a3..f925f48fd4 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -422,7 +422,7 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
-2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM.
+2. Copy the ReAgent files and the ReAgent localization files from the Windows 10, version 1903 ADK source folder to the mounted WIM.
For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md
index 6aa1667383..ee30d55e62 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/deployment/planning/features-lifecycle.md
@@ -12,7 +12,7 @@ ms.author: greglin
ms.topic: article
ms.custom: seo-marvel-apr2020
---
-# Windows 10 features lifecycle
+# Windows client features lifecycle
Applies to:
- Windows 10
@@ -20,6 +20,10 @@ Applies to:
Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
+## Windows 11 features
+
+For information about features that are impacted when you upgrade from Windows 10 to Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
+
## Features no longer being developed
The following topic lists features that are no longer being developed. These features might be removed in a future release.
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 9581461533..3452a3fd88 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -30,6 +30,6 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
- [Deploy Windows 10 with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md)
+- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 90d0c547cb..4d8bf0ff3e 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -36,46 +36,13 @@ Windows 10 also introduces two additional scenarios that organizations should c
So how do you choose? At a high level:
-
-
-
-
-
-
-
-
Consider ...
-
For these scenarios
-
-
-
-
-
In-place upgrade
-
-
When you want to keep all (or at least most) existing applications
-
When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
-
To migrate from Windows 10 to a later Windows 10 release
-
-
-
-
Traditional wipe-and-load
-
-
When you upgrade significant numbers of applications along with the new Windows OS
-
When you make significant device or operating system configuration changes
-
When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
-
When you migrate from Windows Vista or other previous operating system versions
-
-
-
-
Dynamic provisioning
-
-
For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required
-
When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps
-
-
-
-
+| Consider ... | For these scenarios |
+|---|---|
+| In-place upgrade | - When you want to keep all (or at least most) existing applications - When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations) - To migrate from Windows 10 to a later Windows 10 release |
+| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS - When you make significant device or operating system configuration changes - When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs - When you migrate from Windows Vista or other previous operating system versions |
+| Dynamic provisioning | - For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required. - When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps |
+
-
## Migration from previous Windows versions
For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.
@@ -105,7 +72,7 @@ In either of these scenarios, you can make a variety of configuration changes to
## Stay up to date
-For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will be deployed two times per year. You can deploy these upgrades by using a variety of methods:
+For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update).
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index c23e505800..c5160d884a 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -17,6 +17,8 @@ ms.topic: article
Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that are no longer being developed in Windows 10. For information about features that have been removed, see [Features we removed](windows-10-removed-features.md).
+For information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
+
The features described below are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.
**The following list is subject to change and might not include every affected feature or functionality.**
@@ -26,7 +28,7 @@ The features described below are no longer being actively developed, and might b
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
-| BitLocker To Go Reader | Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11. The following items might not be available in a future release of Windows client: - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows** - Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv) - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents** - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
+| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.** Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11. The following items might not be available in a future release of Windows client: - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows** - Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv) - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents** - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index b832a4fcdd..a8e1aa8c67 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -79,7 +79,7 @@ sections:
- question: |
Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
answer: |
- Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
+ Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
- question: |
Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
@@ -103,7 +103,7 @@ sections:
- question: |
What are the servicing channels?
answer: |
- To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
+ To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
- question: |
What tools can I use to manage Windows as a service updates?
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index 2725d29de0..a790a1e83a 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -24,6 +24,8 @@ For information about features that might be removed in a future release, see [W
> [!NOTE]
> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
+For information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
+
The following features and functionalities have been removed from the installed product image for Windows 10. Applications or code that depend on these features won't function in the release when it was removed, or in later releases.
|Feature | Details and mitigation | Removed in version |
@@ -62,7 +64,6 @@ The following features and functionalities have been removed from the installed
|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 |
|Tile Data Layer |To be replaced by the Tile Store.| 1709 |
|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
-|Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 |
|By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 |
|Interactive Service Detection Service| See [Interactive Services](/windows/win32/services/interactive-services) for guidance on how to keep software up to date. | 1703 |
|Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index ae8c69d273..b73c7cb293 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -1,7 +1,7 @@
---
title: Introduction to the Windows Insider Program for Business
description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: manage
@@ -22,7 +22,7 @@ ms.topic: article
> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
+For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the General Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
The Windows Insider Program for Business gives you the opportunity to:
@@ -35,7 +35,7 @@ The Windows Insider Program for Business gives you the opportunity to:
Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App.
-The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
[](images/WIP4Biz_deployment.png)
Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments.
@@ -52,12 +52,12 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op
## Validate Insider Preview builds
Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits:
-
-- Get a head start on your Windows validation process
-- Identify issues sooner to accelerate your Windows deployment
-- Engage Microsoft earlier for help with potential compatibility issues
-- Deploy Windows 10 Semi-Annual releases faster and more confidently
-- Maximize the 18-month support Window that comes with each Semi-Annual release.
+
+- Get a head start on your Windows validation process.
+- Identify issues sooner to accelerate your Windows deployment.
+- Engage Microsoft earlier for help with potential compatibility issues.
+- Deploy Windows 10 General Availability Channel releases faster and more confidently.
+- Maximize the support window that comes with each General Availability Channel release.
|Objective |Feature exploration|
|---------|---------|
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
deleted file mode 100644
index 1f326784c8..0000000000
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Change history for Update Windows 10 (Windows 10)
-description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10.
-ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
-author: jaimeo
-ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Change history for Update Windows 10
-
-This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](/windows/deployment).
-
->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
-
-## September 2018
-
-| New or changed topic | Description |
-| --- | --- |
-| [Get started with Windows Update](windows-update-overview.md) | New |
-
-
-## RELEASE: Windows 10, version 1709
-
-The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
-
-## September 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New |
-
-## July 2017
-
-All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes).
-
-## May 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Manage additional Windows Update settings](waas-wu-settings.md) | New |
-
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
-* [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started)
-* [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-register)
\ No newline at end of file
diff --git a/windows/deployment/update/delivery-optimization-proxy.md b/windows/deployment/update/delivery-optimization-proxy.md
index 5e3fa30528..a03d3f5fb1 100644
--- a/windows/deployment/update/delivery-optimization-proxy.md
+++ b/windows/deployment/update/delivery-optimization-proxy.md
@@ -15,7 +15,10 @@ ms.topic: article
# Using a proxy with Delivery Optimization
-**Applies to**: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md
new file mode 100644
index 0000000000..c12811fc60
--- /dev/null
+++ b/windows/deployment/update/delivery-optimization-workflow.md
@@ -0,0 +1,44 @@
+---
+title: Delivery Optimization client-service communication explained
+manager: dougeby
+description: Details of how Delivery Optimization communicates with the server when content is requested to download.
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: carmenf
+ms.localizationpriority: medium
+ms.author: carmenf
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Delivery Optimization client-service communication explained
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+## Download request workflow
+
+This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification.
+
+
+1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB).
+2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer.
+3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file.
+4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download.
+5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to “simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed.
+6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it.
+
+## Delivery Optimization service endpoint and data information
+
+|Endpoint hostname|Port|Name|Description|Data sent from the computer to the endpoint
+|--------------------------------------------|--------|---------------|-----------------------|------------------------|
+| geover-prod.do.dsp.mp.microsoft.com geo-prod.do.dsp.mp.microsoft.com geo.prod.do.dsp.mp.microsoft.com geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox) **doClientVersion**: The version of the DoSvc client **groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) |
+| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from **doClientVersion**: The version of the DoSvc client **Profile**: The device type (for example, PC or Xbox) **eId**: Client grouping Id **CacheHost**: Cache host id |
+| cp\*.prod.do.dsp.mp.microsoft.com | 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) **ContentId**: The content identifier **doClientVersion**: The version of the DoSvc client **countryCode**: The country the client is connected from **altCatalogId**: If ContentId isn't available, use the download URL instead **eId**: Client grouping Id **CacheHost**: Cache host id |
+| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox) **ContentId**: The content identifier **doClientVersion**: The version of the DoSvc client **partitionId**: Client partitioning hint **altCatalogId**: If ContentId isn't available, use the download URL instead **eId**: Client grouping Id |
+| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) **ContentId**: The content identifier **doClientVersion**: The version of the DoSvc client **altCatalogId**: If ContentId isn't available, use the download URL instead **PeerId**: Identity of the device running DO client **ReportedIp**: The internal / private IP Address **IsBackground**: Is the download interactive or background **Uploaded**: Total bytes uploaded to peers **Downloaded**: Total bytes downloaded from peers **DownloadedCdn**: Total bytes downloaded from CDN **Left**: Bytes left to download **Peers Wanted**: Total number of peers wanted **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) **Scope**: The Download mode **UploadedBPS**: The upload speed in bytes per second **DownloadBPS**: The download speed in Bytes per second **eId**: Client grouping Id |
+| dl.delivery.mp.microsoft.com emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. |
diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md
index c62f135de1..73f4b8e93f 100644
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows 10 updates with Configuration Manager (Windows 10)
-description: Deploy Windows 10 updates with Configuration Manager
+title: Deploy Windows client updates with Configuration Manager
+description: Deploy Windows client updates with Configuration Manager
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -15,6 +15,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
See the Microsoft Endpoint Manager [documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
\ No newline at end of file
diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md
index 5079d8a8f7..e871e5e68c 100644
--- a/windows/deployment/update/deploy-updates-intune.md
+++ b/windows/deployment/update/deploy-updates-intune.md
@@ -1,6 +1,6 @@
---
title: Deploy updates with Intune
-description: Deploy Windows 10 updates with Intune
+description: Deploy Windows client updates with Intune
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -15,6 +15,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
-See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows 10 updates.
\ No newline at end of file
+See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows client updates.
\ No newline at end of file
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 4eca196e15..67aa39dd4e 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -16,7 +16,10 @@ ms.topic: article
# Windows Update for Business deployment service
-> Applies to: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies.
@@ -26,6 +29,7 @@ The deployment service is designed for IT Pros who are looking for more control
- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021).
- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise.
- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization.
+- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices.
The service is privacy focused and backed by leading industry compliance certifications.
@@ -49,42 +53,39 @@ Using the deployment service typically follows a common pattern:
2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
-
The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager.
## Prerequisites
To work with the deployment service, devices must meet all these requirements:
-- Be running Windows 10, version 1709 or later
+- Be running Windows 10, version 1709 or later (or Windows 11)
- Be joined to Azure Active Directory (AD) or Hybrid AD
-- Have one of the following Windows 10 editions installed:
- - Windows 10 Pro
- - Windows 10 Enterprise
- - Windows 10 Education
- - Windows 10 Pro Education
- - Windows 10 Pro for Workstations
+- Have one of the following Windows 10 or Windows 11 editions installed:
+ - Pro
+ - Enterprise
+ - Education
+ - Pro Education
+ - Pro for Workstations
Additionally, your organization must have one of the following subscriptions:
-- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
-- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
+- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
+- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
-
## Getting started
To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
### Using Microsoft Endpoint Manager
-Microsoft Endpoint Manager integrates with the deployment service to provide Windows 10 update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates).
+Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
### Scripting common actions using PowerShell
The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
-
### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
@@ -110,49 +111,58 @@ This built-in piloting capability complements your existing ring structure and p
You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring.
+### Safeguard holds against likely and known issues
+
+Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out.
+
+To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold)
+
### Monitoring deployments to detect rollback issues
-During a feature update deployment, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
-
+During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
### How to enable deployment protections
-Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your organization, devices must share diagnostic data with Microsoft.
+Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft.
#### Device prerequisites
-> [!NOTE]
-> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
-
- Diagnostic data is set to *Required* or *Optional*.
- The **AllowWUfBCloudProcessing** policy is set to **8**.
#### Set the **AllowWUfBCloudProcessing** policy
-To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy.
-
-> [!NOTE]
-> Setting this policy by using Group Policy isn't currently supported.
+To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy.
| Policy | Sets registry key under **HKLM\\Software** |
|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|
+| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | \\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing |
| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing |
Following is an example of setting the policy using Microsoft Endpoint Manager:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
2. Select **Devices** > **Configuration profiles** > **Create profile**.
+
3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**.
+
4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**.
+
5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**.
- Name: **AllowWUfBCloudProcessing**
- Description: Enter a description.
- OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
- Data type: **Integer**
- Value: **8**
+
6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
+
7. In **Review + create**, review your settings, and then select **Create**.
-8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.
+
+8. (Optional) To verify that the policy reached the client, check the value of the following registry entry:
+
+ **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**
## Best practices
Follow these suggestions for the best results with the service.
@@ -160,6 +170,7 @@ Follow these suggestions for the best results with the service.
### Device onboarding
- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
+
- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
### General
@@ -171,5 +182,5 @@ Avoid using different channels to manage the same resources. If you use Microsof
To learn more about the deployment service, try the following:
-- [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates)
+- [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates)
- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview)
diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md
deleted file mode 100644
index d8206d5491..0000000000
--- a/windows/deployment/update/feature-update-conclusion.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-title: Best practices for feature updates - conclusion
-description: This article includes final thoughts about how to deploy and stay up-to-date with Windows 10 feature updates.
-ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
-itproauthor: jaimeo
-author: jaimeo
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
-ms.topic: article
-ms.custom: seo-marvel-apr2020
----
-
-# Conclusion
-
-**Applies to**: Windows 10
-
-Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible.
-
-Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience.
-
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
deleted file mode 100644
index 771a7648f8..0000000000
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ /dev/null
@@ -1,264 +0,0 @@
----
-title: Best practices - deploy feature updates during maintenance windows
-description: Learn how to configure maintenance windows and how to deploy feature updates during a maintenance window.
-ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
-author: jaimeo
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
-ms.topic: article
-ms.custom: seo-marvel-apr2020
----
-
-# Deploy feature updates during maintenance windows
-
-**Applies to**: Windows 10
-
-Use the following information to deploy feature updates during a maintenance window.
-
-## Get ready to deploy feature updates
-
-### Step 1: Configure maintenance windows
-
-1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**.
-2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s).
-3. On the **Home** tab, in the **Properties** group, choose **Properties**.
-4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon.
-5. Complete the `` Schedule dialog.
-6. Select from the Apply this schedule to drop-down list.
-7. Choose **OK** and then close the **\ Properties** dialog box.
-
-### Step 2: Review computer restart device settings
-
-If you're not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration.
-
-For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update.
-
->[!NOTE]
-> The following settings must be shorter in duration than the shortest maintenance window applied to the computer.
->- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).**
->- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).**
-
-### Step 3: Enable Peer Cache
-
-Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
-
-[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
-
-### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later)
-
-If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
-
-**%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini**
-
-```
-[SetupConfig]
-Priority=Normal
-```
-
-You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
-
-```powershell
-#Parameters
-Param(
- [string] $PriorityValue = "Normal"
- )
-
-#Variable for ini file path
-$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"
-
-#Variables for SetupConfig
-$iniSetupConfigSlogan = "[SetupConfig]"
-$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;}
-
-#Init SetupConfig content
-$iniSetupConfigContent = @"
-$iniSetupConfigSlogan
-"@
-
-#Build SetupConfig content with settings
-foreach ($k in $iniSetupConfigKeyValuePair.Keys)
-{
- $val = $iniSetupConfigKeyValuePair[$k]
-
- $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val")
-}
-
-#Write content to file
-New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force
-
-<#
-Disclaimer
-Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is
-provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without
-limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk
-arising out of the use or performance of the sample script and documentation remains with you. In no event shall
-Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable
-for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption,
-loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script
-or documentation, even if Microsoft has been advised of the possibility of such damages.
-#>
-```
-
-> [!NOTE]
-> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
-
-## Manually deploy feature updates
-
-The following sections provide the steps to manually deploy a feature update.
-
-### Step 1: Specify search criteria for feature updates
-There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy.
-
-1. In the Configuration Manager console, click **Software Library**.
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed.
-3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps:
- - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
- - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English.
-
-4. Save the search for future use.
-
-### Step 2: Download the content for the feature updates
-Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
-
-1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
-2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
-
- The **Download Software Updates Wizard** opens.
-3. On the **Deployment Package** page, configure the following settings:
- **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
- - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters.
- - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters.
- - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
-
- > [!NOTE]
- > The deployment package source location that you specify cannot be used by another software deployment package.
-
- > [!IMPORTANT]
- > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
-
- > [!IMPORTANT]
- > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
-
- Click **Next**.
-4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
-
- > [!NOTE]
- > The Distribution Points page is available only when you create a new software update deployment package.
-5. On the **Distribution Settings** page, specify the following settings:
-
- - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority.
- - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
- - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
- - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
- - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
- - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting.
-
- For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
- Click **Next**.
-6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
-
- - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
- - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access.
-
- > [!NOTE]
- > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
-
- Click **Next**.
-7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
-8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates.
-9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close.
-
-#### To monitor content status
-1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console.
-2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**.
-3. Select the feature update package that you previously identified to download the feature updates.
-4. On the **Home** tab, in the Content group, click **View Status**.
-
-### Step 3: Deploy the feature update(s)
-After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s).
-
-1. In the Configuration Manager console, click **Software Library**.
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**.
-3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**.
-
- The **Deploy Software Updates Wizard** opens.
-4. On the General page, configure the following settings:
- - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\**
- - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default.
- - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct.
- - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time.
- - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment.
-5. On the Deployment Settings page, configure the following settings:
-
- - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline.
-
- > [!IMPORTANT]
- > After you create the software update deployment, you cannot later change the type of deployment.
-
- > [!NOTE]
- > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured.
-
- - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required.
-
- > [!WARNING]
- > Before you can use this option, computers and networks must be configured for Wake On LAN.
-
- - **Detail level**: Specify the level of detail for the state messages that are reported by client computers.
-6. On the Scheduling page, configure the following settings:
-
- - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console.
-
- > [!NOTE]
- > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time.
-
- - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients:
- - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation.
- - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment.
-
- > [!NOTE]
- > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page.
-
- - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links.
-
- > [!NOTE]
- > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent).
-7. On the User Experience page, configure the following settings:
- - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**.
- - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows).
- - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation.
-
- > [!IMPORTANT]
- > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation.
- - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device.
-
- > [!NOTE]
- > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window.
- - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window.
-8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
-
- > [!NOTE]
- > You can review recent software updates alerts from the Software Updates node in the Software Library workspace.
-9. On the Download Settings page, configure the following settings:
- - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location.
- - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point.
- - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
- - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
- - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
-
- > [!NOTE]
- > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority).
-10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
-11. Click **Next** to deploy the feature update(s).
-
-### Step 4: Monitor the deployment status
-
-After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status:
-
-1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**.
-2. Click the software update group or software update for which you want to monitor the deployment status.
-3. On the **Home** tab, in the **Deployment** group, click **View Status**.
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
deleted file mode 100644
index 052bebb7c1..0000000000
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
-description: Learn how to use the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
-ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
-itproauthor: jaimeo
-author: jaimeo
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
-ms.topic: article
-ms.custom: seo-marvel-apr2020
----
-
-# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices
-
-**Applies to**: Windows 10
-
-Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
-
-For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](/configmgr/osd/deploy-use/manage-windows-as-a-service).
-
-Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods:
-
-- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows.
-- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician.
-
-You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
-
-- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
-- **Additional required tasks.** When deploying a feature update requires additional steps (for example, suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
-- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
-
-If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates.
-
-Use the following information:
-
-
-- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md)
-- [Deploy feature updates for user-initiated installations](feature-update-user-install.md)
-- [Conclusion](feature-update-conclusion.md)
\ No newline at end of file
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index fc45328c40..13a811171f 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -16,15 +16,18 @@ ms.custom: seo-marvel-apr2020
---
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
-> Applies to: Windows 10
+**Applies to**
-In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features.
+- Windows 10
+- Windows 11
+
+In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
-In Windows 10 version 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
+In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index b034e4e658..a9cda4ed31 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,7 +1,7 @@
---
-title: Windows 10 updates, channels, and tools
+title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -12,7 +12,12 @@ manager: laurawi
ms.topic: article
---
-# Windows 10 updates, channels, and tools
+# Windows client updates, channels, and tools
+
+**Applies to**
+
+- Windows 10
+- Windows 11
## How Windows updates work
@@ -30,34 +35,31 @@ version of the software.
We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
-- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
-- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
+- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
+- **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
- **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
-
## Servicing channels
-Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process.
+There are three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process.
The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization.
-### Semi-annual Channel
+### General Availability Channel
-In the Semi-annual Channel, feature updates are available as soon as Microsoft releases them, twice per year. As long as a device isn't set to defer feature updates, any device using the Semi-annual Channel will install a feature update as soon as it's released. If you use Windows Update for Business, the Semi-annual Channel provides three months of additional total deployment time before being required to update to the next release.
+In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
-> [!NOTE]
-> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607.
### Windows Insider Program for Business
Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel:
-- Windows Insider Fast
-- Windows Insider Slow
+- Windows Insider Dev
+- Windows Insider Beta
- Windows Insider Release Preview
We recommend that you use the Windows Insider Release Preview channel for validation activities.
@@ -65,17 +67,17 @@ We recommend that you use the Windows Insider Release Preview channel for valida
### Long-term Servicing Channel
-The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSC releases service a special LTSC edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
+The General Availability Channel is the default servicing channel for all Windows devices except those with the LTSC edition installed. The following table shows the servicing channels available to each edition.
-| Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel |
+| Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel |
| --- | --- | --- | --- |
| Home | | | |
| Pro |  |  | |
| Enterprise |  | | |
-| Enterprise LTSB |  | | |
+| Enterprise LTSC |  | | |
| Pro Education |  |  | |
| Education |  |  | |
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 1cb0a47bf7..821586a7d8 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -1,6 +1,6 @@
---
title: How Windows Update works
-description: In this article, learn about the process Windows Update uses to download and install updates on a Windows 10 devices.
+description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
diff --git a/windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png b/windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png
new file mode 100644
index 0000000000..4f11e64555
Binary files /dev/null and b/windows/deployment/update/images/uc-workspace-safeguard-holds-device-view.png differ
diff --git a/windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png b/windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png
new file mode 100644
index 0000000000..b4c348b964
Binary files /dev/null and b/windows/deployment/update/images/uc-workspace-safeguard-holds-safeguard-hold-view.png differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 3f72fde718..3eef8dae64 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -1,6 +1,6 @@
---
-title: Update Windows 10 in enterprise deployments (Windows 10)
-description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10.
+title: Update Windows client in enterprise deployments
+description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows client.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -10,19 +10,18 @@ ms.author: jaimeo
ms.topic: article
---
-# Update Windows 10 in enterprise deployments
+# Update Windows client in enterprise deployments
**Applies to**
- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows 10 devices in your environment. In addition, with the Windows 10 operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them.
+Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them.
->[!TIP]
->See [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) for details about each Windows 10 update released to date.
@@ -30,20 +29,18 @@ Windows as a service provides a new way to think about building, deploying, and
| Topic | Description|
| --- | --- |
-| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
-| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
-| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
-| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |
-| [Assign devices to servicing branches for Windows 10 updates](./waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
+| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. |
+| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
+| [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
+| [Assign devices to servicing branches for Windows client updates](/waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. |
-| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
+| [Optimize update delivery](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
-| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
-| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows 10 updates. |
+| [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. |
+| [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
| [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
\ No newline at end of file
+>For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows.
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 3758d0c313..01eadf3247 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -16,7 +16,10 @@ ms.topic: article
# Update Windows installation media with Dynamic Update
-**Applies to**: Windows 10, Windows 11
+**Applies to**
+
+- Windows 10
+- Windows 11
This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index addb9d4952..cad3343d01 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -15,9 +15,14 @@ ms.topic: article
# Migrating and acquiring optional Windows content during updates
+**Applies to**
+
+- Windows 10
+- Windows 11
+
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
-When you update the operating system, it’s critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows 10 setup using a local Windows image or WIM file (a “media-based” or “task-sequence-based” update). Others do in-place updates using an approved Windows 10 feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based” update).
+When you update the operating system, it’s critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a “media-based” or “task-sequence-based” update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based” update).
Neither approach contains the full set of Windows optional features that a user’s device might need, so those features are not migrated to the new operating system. Further, those features are not available in Configuration Manager or WSUS for on-premises acquisition after a feature update
@@ -29,7 +34,7 @@ Optional content includes the following items:
- Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0)
- Local Experience Packs
-Optional content isn’t included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it’s released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This provides more space for user’s data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
+Optional content isn’t included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it’s released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user’s data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
## Why is acquiring optional content challenging?
@@ -37,17 +42,17 @@ The challenges surrounding optional content typically fall into two groups:
### Incomplete operating system updates
-The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating is written to the user’s disk alongside the old version. This is a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When this happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
+The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user’s disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
-Windows Setup needs access to the optional content to do this. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can’t be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this “latent acquisition.”
+Windows Setup needs access to the optional content. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can’t be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this “latent acquisition.”
### User-initiated feature acquisition failure
-The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows 10, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, additional language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can’t be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.”
+The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, more language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can’t be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.”
## Options for acquiring optional content
-Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows 10. In this table,
+Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows client. In this table,
- Migration means it supports optional content migration during an update.
- Acquisition means it supports optional content acquisition (that is, initiated by the user).
@@ -70,30 +75,30 @@ Most commercial organizations understand the pain points outlined above, and dis
Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios "just work" when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
-Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows 10, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS.
+Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS.
-You should consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows 10 device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. See [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, as well as our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic.
+Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows client device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more info, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, and our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic.
### Option 2: Enable Dynamic Update
-If you’re not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows 10 feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows 10 Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
+If you’re not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
- Setup updates: Fixes to Setup.exe binaries or any files that Setup uses for feature updates.
- Safe OS updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
-- Servicing stack updates: Fixes that are necessary to address the Windows 10 servicing stack issue and thus required to complete the feature update.
+- Servicing stack updates: Fixes that are necessary to address the Windows servicing stack issue and thus required to complete the feature update.
- Latest cumulative update: Installs the latest cumulative quality update.
- Driver updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
-In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows 10 Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
-Starting in Windows 10, version 2004, Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will go through an additional reboot for the latest cumulative update since it was not available during the feature update.
+Starting in Windows 10, version 2004, Dynamic Update can be configured with more options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it was not available during the feature update.
-One additional consideration when using Dynamic Update is the impact to your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available.
+One further consideration when using Dynamic Update is the affect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available.
For devices that aren’t connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
### Option 3: Customize the Windows Image before deployment
- For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don’t have internet connectivity, or the connectivity is poor and so they can’t enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This is sometimes referred to as customizing the installation media.
+ For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don’t have internet connectivity, or the connectivity is poor and so they can’t enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This activity is sometimes referred to as customizing the installation media.
You can customize the Windows image in these ways:
@@ -104,24 +109,24 @@ You can customize the Windows image in these ways:
- Adding or removing languages
- Adding or removing Features on Demand
-The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This allows for device-specific image customization based on what's currently installed.
+The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
### Option 4: Install language features during deployment
-A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows 10 Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
-When Setup runs, it will inject these packages into the new operating system during installation. This means it can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, as well as the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled).
+When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled).
-This approach has some interesting benefits. The original Windows image doesn’t need to be modified, possibly saving time and scripting. For some commercial customers, this is implemented as their primary pain point has to do with language support immediately after the update.
+This approach has some interesting benefits. The original Windows image doesn’t need to be modified, possibly saving time and scripting.
### Option 5: Install optional content after deployment
-This option is like Option 3 in that you customize the operating system image with additional optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality.
+This option is like Option 3 in that you customize the operating system image with more optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality.
### Option 6: Configure an alternative source for optional content
-Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of additional content to be hosted within your network (additional to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
+Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of more content to be hosted within your network (in addition to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
- The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
- This setting does not support installing language packs from Alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
@@ -141,7 +146,7 @@ For more information about the Unified Update Platform and the approaches outlin
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
-- [Updating Windows 10 media with Dynamic Update packages](media-dynamic-update.md)
+- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
@@ -564,7 +569,7 @@ Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
### Saving optional content in the source operating system
-To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This will limit the files to copy.
+To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action will limit the files to copy.
```powershell
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index c18d2b0576..289cffc216 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -14,6 +14,11 @@ ms.collection: m365initiative-coredeploy
# Define update strategy with a calendar
+**Applies to**
+
+- Windows 10
+- Windows 11
+
Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
@@ -21,7 +26,7 @@ Today, more organizations are treating deployment as a continual process of upda
Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
## Calendar approaches
-You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
+You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
### Annual
Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles:
@@ -38,14 +43,4 @@ This cadence might be most suitable for you if any of these conditions apply:
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months).
-### Rapid
-This calendar shows an example schedule that installs each feature update as it is released, twice per year:
-[  ](images/rapid-calendar.png#lightbox)
-
-This cadence might be best for you if these conditions apply:
-
-- You have a strong appetite for change.
-- You want to continuously update supporting infrastructure and unlock new scenarios.
-- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office.
-- You have experience with feature updates for Windows 10.
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index 3ea447d2c4..4614f94847 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -94,7 +94,7 @@ Enable update services on devices. Ensure that every device is running all the s
- Windows Management Service
- Windows Module Installer
- Windows Push Notification
-- Windows Security Center Service
+- Windows Security Service
- Windows Time Service
- Windows Update
- Windows Update Medic Service
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 735acd6e97..8ff5849aaa 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -12,27 +12,32 @@ ms.topic: article
# Safeguard holds
-Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+**Applies to**
-Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
+- Windows 10
+- Windows 11
-The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
+Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
-Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
+Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
+The lifespan of safeguard holds varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
+
+Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
+
+IT admins managing updates using the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) also benefit from safeguard holds on devices that are likely to be affected by an issue. To learn more, see [Safeguard holds against likely and known issues](/windows/deployment/update/deployment-service-overview#safeguard-holds-against-likely-and-known-issues).
## Am I affected by a safeguard hold?
-IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version.
+IT admins can use [Update Compliance](update-compliance-monitor.md) to monitor various update health metrics for devices in their organization. Update Compliance provides a [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds), as well as [queries in the Feature Update Status report](/windows/deployment/update/update-compliance-feature-update-status), to provide you insight into the safeguard holds that are preventing devices from updating or upgrading.
-Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](/windows/release-health/) dashboard, where you can easily find information related to publicly available safeguards.
+The Update Compliance reports identify safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
-
-If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, we’ll release the hold and the update can resume safely.
+This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we will release the safeguard hold and the update can resume safely.
## What can I do?
@@ -41,4 +46,4 @@ We recommend that you do not attempt to manually update until issues have been r
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
-With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
\ No newline at end of file
+With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 6b9563437a..15a43dfe2f 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -1,5 +1,5 @@
---
-title: Servicing stack updates (Windows 10)
+title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.prod: w10
ms.mktglfcycl: manage
@@ -20,7 +20,8 @@ ms.custom: seo-marvel-apr2020
**Applies to**
-- Windows 10, Windows 8.1, Windows 8, Windows 7
+- Windows 10
+- Windows 11
## What is a servicing stack update?
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
@@ -38,7 +39,7 @@ Servicing stack update are released depending on new issues or vulnerabilities.
## What's the difference between a servicing stack update and a cumulative update?
-Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
+Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index 339e8ed571..57c0e11d5b 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -17,10 +17,15 @@ ms.topic: article
# Manually Configuring Devices for Update Compliance
+**Applies to**
+
+- Windows 10
+- Windows 11
+
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
-There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows client. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
The requirements are separated into different categories:
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index f700affa62..8b67a949ea 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -17,6 +17,11 @@ ms.topic: article
# Configuring Microsoft Endpoint Manager devices for Update Compliance
+**Applies to**
+
+- Windows 10
+- Windows 11
+
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index 085bf545d6..3bd9ab7dd2 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -17,6 +17,11 @@ ms.topic: article
# Configuring devices through the Update Compliance Configuration Script
+**Applies to**
+
+- Windows 10
+- Windows 11
+
> [!NOTE]
> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured.
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index 1c544e9fbb..1aa38de12a 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -1,5 +1,5 @@
---
-title: Delivery Optimization in Update Compliance (Windows 10)
+title: Delivery Optimization in Update Compliance
ms.reviewer:
manager: laurawi
description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
@@ -17,6 +17,12 @@ ms.custom: seo-marvel-apr2020
---
# Delivery Optimization in Update Compliance
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
@@ -30,7 +36,7 @@ The Delivery Optimization Status section includes three blades:
## Device Configuration blade
-Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md).
+Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md).
## Content Distribution (%) blade
The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution).
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 4476c5c96d..0632492b3e 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -17,6 +17,11 @@ ms.custom: seo-marvel-apr2020
# Feature Update Status
+**Applies to**
+
+- Windows 10
+- Windows 11
+
[  ](images/UC_workspace_FU_status.png#lightbox)
The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels).
@@ -38,16 +43,21 @@ Refer to the following list for what each state means:
## Safeguard holds
-Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows 10 release information page for any given release.
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
-## Queries for safeguard holds
+### Queries for safeguard holds
-Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
+> [!TIP]
+> For a new Update Compliance report with additional information on safeguard holds for devices managed using the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview), try the [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds).
+
+The Feature Update Status report offers two queries to help you retrieve data related to safeguard holds. These queries show data for devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included.
+
+The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
-Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
+Update Compliance reporting will display the safeguard hold IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard hold IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
-### Opt out of safeguard hold
+### Opt out of safeguard holds
-You can [opt out of safeguard protections](safeguard-opt-out.md) by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
+You can [opt out of safeguard holds](safeguard-opt-out.md) protecting against known issues by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index f1c18585dd..db61a26720 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -17,8 +17,15 @@ ms.topic: article
# Get started with Update Compliance
+**Applies to**
+
+- Windows 10
+- Windows 11
+
> [!IMPORTANT]
-> **A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing"**. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the [Update Compliance Configuration Script](update-compliance-configuration-script.md) if you configure your devices through Group Policy, or refer to [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) for details on manually configuring the new policy for both Group Policy and MDM.
+> **A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing"**. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the [Update Compliance Configuration Script](update-compliance-configuration-script.md) if you configure your devices through Group Policy, or refer to [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) for details on manually configuring the new policy for both Group Policy and MDM.
+>
+> Devices must have this policy configured by January 31, 2022, to remain enrolled in Update Compliance. Devices without this policy configured, including Windows 10 releases prior to version 1809 which do not support this policy, will stop appearing in Update Compliance reports after this date.
This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
@@ -35,11 +42,11 @@ After adding the solution to Azure and configuring devices, it can take some tim
Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
-- **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
-- **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
-- **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
+- **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and is not currently compatible with Windows Server, Surface Hub, IoT, or other versions.
+- **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but does not currently provide detailed deployment insights for them.
+- **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
-- **Showing Device Names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
+- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
## Add Update Compliance to your Azure subscription
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 7d3ea12222..de2b593b39 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -1,8 +1,8 @@
---
-title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance (Windows 10)
+title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance
ms.reviewer:
manager: laurawi
-description: You can use Update Compliance in Azure Portal to monitor the progress of updates and key antimalware protection features on devices in your network.
+description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@@ -18,24 +18,29 @@ ms.custom: seo-marvel-apr2020
# Monitor Windows Updates with Update Compliance
+**Applies to**
+
+- Windows 10
+- Windows 11
+
## Introduction
Update Compliance enables organizations to:
-* Monitor security, quality, and feature updates for Windows 10 Professional, Education, and Enterprise editions.
+* Monitor security, quality, and feature updates for Windows 10 or Windows 11 Professional, Education, and Enterprise editions.
* View a report of device and update issues related to compliance that need attention.
* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md).
-Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data.
+Update Compliance is offered through the Azure portal, and is included as part of Windows 10 or Windows 11 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data.
-Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
+Update Compliance uses Windows client diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
-See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
+See the following articles in this guide for detailed information about configuring and using the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance.
- [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience.
-## Related topics
+## Related articles
* [Get started with Update Compliance](update-compliance-get-started.md)
* [Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index 527be5a54e..f8d8daa42b 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -14,9 +14,15 @@ ms.prod: w10
---
# Needs attention!
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
-The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section.
+The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section.
> [!NOTE]
> The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
@@ -26,7 +32,7 @@ The different issues are broken down by Device Issues and Update Issues:
## Device Issues
* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated.
-* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10.
+* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows client it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows client.
## Update Issues
@@ -39,7 +45,7 @@ The different issues are broken down by Device Issues and Update Issues:
Selecting any of the issues will take you to a [Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
> [!NOTE]
-> This blade also has a link to the [Setup Diagnostic Tool](../upgrade/setupdiag.md), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
+> This blade also has a link to the [Setup Diagnostic Tool](../upgrade/setupdiag.md), a standalone tool you can use to obtain details about why a Windows client feature update was unsuccessful.
## List of Queries
diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md
index b7c5407a53..b8f5508589 100644
--- a/windows/deployment/update/update-compliance-privacy.md
+++ b/windows/deployment/update/update-compliance-privacy.md
@@ -16,9 +16,14 @@ ms.topic: article
# Privacy in Update Compliance
+**Applies to**
+
+- Windows 10
+- Windows 11
+
Update Compliance is fully committed to privacy, centering on these tenets:
-- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details).
+- **Transparency:** Windows client diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details).
- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics.
- **Security:** Your data is protected with strong security and encryption.
- **Trust:** Update Compliance supports the Online Services Terms.
diff --git a/windows/deployment/update/update-compliance-safeguard-holds.md b/windows/deployment/update/update-compliance-safeguard-holds.md
new file mode 100644
index 0000000000..98221fda7c
--- /dev/null
+++ b/windows/deployment/update/update-compliance-safeguard-holds.md
@@ -0,0 +1,63 @@
+---
+title: Update Compliance - Safeguard Holds report
+ms.reviewer:
+manager: laurawi
+description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+ms.custom: seo-marvel-apr2020
+---
+
+# Safeguard Holds
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+The Safeguard Holds report provides information about devices in your population that are affected by a [safeguard hold](/windows/deployment/update/safeguard-holds).
+
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
+
+As part of the Safeguard Holds report, Update Compliance provides aggregated and device-specific views into the safeguard holds that apply to devices in your population. These views will show data for all devices that are configured to send diagnostic data at the *Optional* level (previously *Full*). For Windows 10 devices, devices configured to send diagnostic data at *Enhanced* level are also included. If your devices are not sending the required diagnostic data, they will be excluded from these views.
+
+The safeguard hold report can be found in a different location from the other Update Compliance reports. To access the safeguard hold report, follow the instructions below.
+
+1. Navigate to your Log Analytics workspace to which Update Compliance is deployed.
+2. In the left-hand menu, select **Solutions**.
+3. Select the solution named **WaaSUpdateInsights(\)**. (This summary page is also where the Update Compliance tile is located.)
+4. In the left-hand menu, select **Workbooks**.
+5. Under the subsection **WaaSUpdateInsights**, select the workbook named **Safeguard Holds**.
+
+This report shows information for devices that are managed using the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview). To view information about safeguard holds for other devices, you can use the workbook named **WaaSUpdateInsights** or the [queries for safeguard holds](/windows/deployment/update/update-compliance-feature-update-status) in the Feature Update Status report.
+
+## Safeguard hold view
+
+
+
+The safeguard hold view shows which safeguard holds apply to devices in your population, and how many devices are affected by each safeguard hold. You can use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the chart and corresponding table to show only the selected safeguard hold IDs. Note that a device can be affected by more than one safeguard hold.
+
+## Device view
+
+
+
+The device view shows which devices are affected by safeguard holds. In the **Safeguard Hold IDs** column of the table, you can find a list of the safeguard holds that apply to each device. You can also use the **Safeguard hold ID(s)** dropdown at the top of the report to filter the table to show only devices affected by the selected safeguard hold IDs.
+
+## Getting additional information about a safeguard hold
+
+For safeguard holds protecting devices against publicly discussed known issues, you can find their 8-digit identifier on the [Windows release health](/windows/release-health/) page under **Known issues** corresponding to the relevant release.
+
+Devices managed by the [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) that are affected by a safeguard hold for a likely issue are listed in the report with the safeguard hold ID value **00000001**.
+
+## Opt out of safeguard holds
+
+To opt out of safeguard holds protecting against known issues, see [Opt out of safeguard holds](/windows/deployment/update/safeguard-opt-out).
+
+To opt out of safeguard holds protecting against likely issues (applicable to devices managed by the deployment service), see [Manage safeguards for a feature update deployment using the Windows Update for Business deployment service](/graph/windowsupdates-manage-safeguards).
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index 9f0ddd10ef..5d923146e5 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -26,7 +26,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
|**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
**Update completed**: Device has completed the update installation.
**In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
**Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
**Canceled**: The update was canceled.
**Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
**Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`.
**Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
**Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
-|**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
**Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
**Update offered**: The device has been offered the update, but has not begun downloading it.
**Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
**Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
**Download started**: The update has begun downloading on the device.
**Download Succeeded**: The update has successfully completed downloading.
**Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
**Install Started**: Installation of the update has begun.
**Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
**Reboot Pending**: The device has a scheduled reboot to apply the update.
**Reboot Initiated**: The scheduled reboot has been initiated.
**Commit**: Changes are being committed post-reboot. This is another step of the installation process.
**Update Completed**: The update has successfully installed.|
+|**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Not Started**: Update hasn't started because the device is not targeting the latest 2 builds
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
**Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
**Update offered**: The device has been offered the update, but has not begun downloading it.
**Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
**Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
**Download started**: The update has begun downloading on the device.
**Download Succeeded**: The update has successfully completed downloading.
**Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
**Install Started**: Installation of the update has begun.
**Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
**Reboot Pending**: The device has a scheduled reboot to apply the update.
**Reboot Initiated**: The scheduled reboot has been initiated.
**Commit**: Changes are being committed post-reboot. This is another step of the installation process.
**Update Completed**: The update has successfully installed.|
|**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
|**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
|**OriginBuild** |[string](/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. |
@@ -43,4 +43,4 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**TimeGenerated** |[datetime](/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
|**UpdateCategory** |[string](/azure/kusto/query/scalar-data-types/string) |`Quality` |The high-level category of content type this Windows Update belongs to. Possible values are **Feature** and **Quality**. |
|**UpdateClassification** |[string](/azure/kusto/query/scalar-data-types/string) |`Security` |Similar to UpdateCategory, this more specifically determines whether a Quality update is a security update or not. |
-|**UpdateReleasedDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. |
\ No newline at end of file
+|**UpdateReleasedDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. |
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index 27a37f5e71..28735cdb61 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -15,12 +15,17 @@ ms.custom: seo-marvel-apr2020
# Security Update Status
+**Applies to**
+
+- Windows 10
+- Windows 11
+
-The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates.
+The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows client version and the deployment progress toward the latest two security updates.
The **Overall Security Update Status** blade provides a visualization of devices that are and do not have the latest security updates. Below the visualization are all devices further broken down by operating system version and a count of devices that are up to date and not up to date. The **Not up to date** column also provides a count of update failures.
-The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
+The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows client, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section.
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 26c96388b7..d27fd0af96 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -1,5 +1,5 @@
---
-title: Using Update Compliance (Windows 10)
+title: Using Update Compliance
ms.reviewer:
manager: laurawi
description: Learn how to use Update Compliance to monitor your device's Windows updates.
@@ -18,11 +18,16 @@ ms.custom: seo-marvel-apr2020
# Use Update Compliance
+**Applies to**
+
+- Windows 10
+- Windows 11
+
In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md).
Update Compliance:
-- Provides detailed deployment monitoring for Windows 10 Feature and Quality updates.
+- Provides detailed deployment monitoring for Windows client feature and quality updates.
- Reports when devices need attention due to issues related to update deployment.
- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md).
- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
@@ -49,21 +54,21 @@ When you select this tile, you will be redirected to the Update Compliance works
Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
-* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
+* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client.
* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability.
* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Microsoft Defender Antivirus.
The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency).
The following is a breakdown of the different sections available in Update Compliance:
-* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates.
-* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates.
-* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment.
+* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows client updates.
+* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows client it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates.
+* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment.
* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types.
## Update Compliance data latency
-Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
+Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data.
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index f6bb3195f2..4bbcdcad7e 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -18,8 +18,8 @@ ms.collection: M365-modern-desktop
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
Keeping devices up to date is the best way to keep them working smoothly and securely.
@@ -39,10 +39,6 @@ update is published plus any deferral. In addition, this policy includes a confi
to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic
restarts for maximum update velocity).
-> [!IMPORTANT]
-> If you use the new **Specify deadlines for automatic updates and restarts** setting in Windows 10,
-> version 1903, you must disable the [older deadline policies](wufb-compliancedeadlines.md#prior-to-windows-10-version-1709) because they could conflict.
-
We recommend you set deadlines as follows:
- Quality update deadline, in days: 3
- Feature update deadline, in days: 7
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 7963fab1a7..9cfa2f188d 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -1,5 +1,5 @@
---
-title: Configure BranchCache for Windows 10 updates (Windows 10)
+title: Configure BranchCache for Windows client updates
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
ms.prod: w10
ms.mktglfcycl: manage
@@ -12,21 +12,22 @@ ms.topic: article
ms.custom: seo-marvel-apr2020
---
-# Configure BranchCache for Windows 10 updates
+# Configure BranchCache for Windows client updates
**Applies to**
- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
-- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
+- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
>[!TIP]
- >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution.
+ >Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
@@ -36,7 +37,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
## Configure servers for BranchCache
@@ -49,21 +50,3 @@ In addition to these steps, there is one requirement for WSUS to be able to use
>[!NOTE]
>Configuration Manager only supports Distributed Cache mode.
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service)
-- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index d0c4ab43af..0c557a1ac6 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Update for Business (Windows 10)
+title: Configure Windows Update for Business
ms.reviewer:
manager: laurawi
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
@@ -19,13 +19,14 @@ ms.topic: article
**Applies to**
- Windows 10
+- Windows 11
- Windows Server 2016
- Windows Server 2019
+- Windows Server 2022
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
+You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
> [!IMPORTANT]
> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
@@ -33,7 +34,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi
## Start by grouping devices
-By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
+By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
>[!TIP]
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
@@ -43,13 +44,13 @@ By grouping devices with similar deferral periods, administrators are able to cl
## Configure devices for the appropriate service channel
-With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
+With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels).
**Release branch policies**
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
+| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
| MDM for Windows 10, version 1607 or later: ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
@@ -64,9 +65,9 @@ Starting with Windows 10, version 1703, users can configure the branch readiness
## Configure when devices receive feature updates
-After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
+After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
-For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
+For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
@@ -74,7 +75,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
+| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
@@ -84,7 +85,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod
## Pause feature updates
-You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again.
+You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
@@ -98,20 +99,20 @@ In cases where the pause policy is first applied after the configured start date
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime |
+| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime |
| GPO for Windows 10, version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for Windows 10, version 1607 or later: ../Vendor/MSFT/Policy/Config/Update/**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime |
| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
-You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
+The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
-| 0 | Feature Updates not paused |
-| 1 | Feature Updates paused |
-| 2 | Feature Updates have auto-resumed after being paused |
+| 0 | feature updates not paused |
+| 1 | feature updates paused |
+| 2 | feature updates have auto-resumed after being paused |
>[!NOTE]
>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**.
@@ -122,9 +123,9 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha
- Any pending update installations are canceled.
- Any update installation running when pause is activated will attempt to roll back.
-## Configure when devices receive Quality Updates
+## Configure when devices receive quality updates
-Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
+Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates.
@@ -160,15 +161,15 @@ In cases where the pause policy is first applied after the configured start date
| MDM for Windows 10, version 1607 or later: ../Vendor/MSFT/Policy/Config/Update/**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
-You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
+The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
| Value | Status|
| --- | --- |
-| 0 | Quality Updates not paused |
-| 1 | Quality Updates paused |
-| 2 | Quality Updates have auto-resumed after being paused |
+| 0 | quality updates not paused |
+| 1 | quality updates paused |
+| 2 | quality updates have auto-resumed after being paused |
>[!NOTE]
>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**.
@@ -193,8 +194,8 @@ The **Manage preview builds** setting gives administrators control over enabling
>* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds**
>* MDM: **System/AllowBuildPreview**
-The policy settings to **Select when Feature Updates are received** allows you to choose between preview flight rings, and allows you to defer or pause their delivery.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
+The policy settings to **Select when feature updates are received** allows you to choose between preview flight rings, and allows you to defer or pause their delivery.
+* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and feature updates are received*
* MDM: **Update/BranchReadinessLevel**
## Exclude drivers from quality updates
@@ -216,7 +217,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709) 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel 32: systems take Feature Updates from Semi-Annual Channel Note: Other value or absent: receive all applicable updates |
+| BranchReadinessLevel | REG_DWORD | 2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)Other value or absent: receive all applicable updates |
| DeferQualityUpdates | REG_DWORD | 1: defer quality updatesOther value or absent: don’t defer quality updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
@@ -230,7 +231,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
-| BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709) 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel 32: systems take Feature Updates from Semi-Annual Channel Note: Other value or absent: receive all applicable updates |
+| BranchReadinessLevel | REG_DWORD |2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709) 4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709) 8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709) 32: systems take feature updates from General Availability Channel Note: Other value or absent: receive all applicable updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
@@ -253,20 +254,3 @@ When a device running a newer version sees an update available on Windows Update
| PauseFeatureUpdates | PauseFeatureUpdatesStartTime |
| PauseQualityUpdates | PauseQualityUpdatesStartTime |
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service)
-- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md
index df12b64c2c..2aea9ec10f 100644
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@@ -20,6 +20,7 @@ ms.custom: seo-marvel-apr2020
**Applies to**
- Windows 10
+- Windows 11
> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158).
@@ -116,8 +117,11 @@ Download mode dictates which download sources clients are allowed to use when do
| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
+> [!NOTE]
+> Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used.
+
>[!NOTE]
->Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
+>When you use AAD tenant, AD Site, or AD Domain as source of group IDs, that the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
### Group ID
@@ -160,7 +164,7 @@ In environments configured for Delivery Optimization, you might want to set an e
### Max Cache Size
-This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
### Absolute Max Cache Size
@@ -197,8 +201,9 @@ Starting in Windows 10, version 1803, specifies the maximum background download
Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
### Select a method to restrict peer selection
-Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option.
-Currently the only available option is **1 = Subnet mask**. The subnet mask option applies to both Download Modes LAN (1) and Group (2).
+Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2).
+
+If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
### Delay background download from http (in secs)
Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index ef3f3040cc..b15133d690 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -2,7 +2,7 @@
title: Set up Delivery Optimization
ms.reviewer:
manager: laurawi
-description: In this article, learn how to set up Delivery Optimization, a new peer-to-peer distribution method in Windows 10.
+description: In this article, learn how to set up Delivery Optimization.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@@ -15,11 +15,12 @@ ms.topic: article
ms.custom: seo-marvel-apr2020
---
-# Set up Delivery Optimization for Windows 10 updates
+# Set up Delivery Optimization for Windows client updates
**Applies to**
- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index ab8834382a..4bd4c62a37 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -1,5 +1,5 @@
---
-title: Delivery Optimization for Windows 10 updates
+title: Delivery Optimization for Windows client updates
manager: laurawi
description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
@@ -16,12 +16,12 @@ ms.topic: article
ms.custom: seo-marvel-apr2020
---
-# Delivery Optimization for Windows 10 updates
-
+# Delivery Optimization for Windows client updates
**Applies to**
- Windows 10
+- Windows 11
> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158).
@@ -29,44 +29,17 @@ Windows updates, upgrades, and applications can contain packages with very large
Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
-For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
+For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
>[!NOTE]
>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
-## New in Windows 10, version 2004
+## New in Windows 10, version 20H2 and Windows 11
-- Enterprise network throttling: new settings have been added in Group Policy and mobile device management (MDM) to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface:
-
- 
-
-- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
-
-- New options for [`Get-DeliveryOptimizationPerfSnap`](waas-delivery-optimization-setup.md#analyze-usage).
-
-- New cmdlets:
- - `Enable-DeliveryOptimizationVerboseLogs`
- - `Disable-DeliveryOptimizationVerboseLogs`
- - `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
-
-- New policy settings:
- - [DOCacheHost](waas-delivery-optimization-reference.md#cache-server-hostname)
- - [DOCacheHostSource](waas-delivery-optimization-reference.md#cache-server-hostname-source)
- - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs); replaces DOPercentageMaxDownloadBandwidth
- - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs)
-
-- Removed policy settings (if you set these policies in Windows 10, 2004, they will have no effect):
- - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead.
- - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead.
- - DOMaxUploadBandwidth
-
-- Support for new types of downloads:
- - Office installs and updates
- - Xbox game pass games
- - MSIX apps (HTTP downloads only)
- - Microsoft Edge browser installations and updates
- - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847)
+- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)."
+- Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID).
+- Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used.
## Requirements
@@ -82,8 +55,8 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Download package | Minimum Windows version |
|------------------|---------------|
-| Windows 10 updates (feature updates and quality updates) | 1511 |
-| Windows 10 drivers | 1511 |
+| Windows client updates (feature updates and quality updates) | 1511 |
+| Windows client drivers | 1511 |
| Windows Store files | 1511 |
| Windows Store for Business files | 1511 |
| Windows Defender definition updates | 1511 |
@@ -100,7 +73,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
-In Windows 10 Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+In Windows client Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
For more information, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md).
@@ -242,7 +215,7 @@ Try a Telnet test between two devices on the network to ensure they can connect
2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
> [!NOTE]
-> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection?view=windowsserver2019-ps) instead of Telnet to run the test.
+> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test.
> **Test-NetConnection -ComputerName 192.168.9.17 -Port 7680**
### None of the computers on the network are getting updates from peers
@@ -254,28 +227,3 @@ Check Delivery Optimization settings that could limit participation in peer cach
- Enable peer caching while the device connects using VPN.
- Allow uploads when the device is on battery while under the set battery level
-
-
-
-## Learn more
-
-[Windows 10, Delivery Optimization, and WSUS](/archive/blogs/mniehaus/windows-10-delivery-optimization-and-wsus-take-2)
-
-
-## Related articles
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service)
-- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
deleted file mode 100644
index 177e2b07ca..0000000000
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Build deployment rings for Windows client updates
-description: Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades.
-ms.prod: w10
-ms.mktglfcycl: manage
-author: jaimeo
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Build deployment rings for Windows 10 updates
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-> [!NOTE]
-> We're in the process of updating this topic with more definitive guidance. In the meantime, see [this post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) on the Windows 10 IT Pro blog for some great suggestions for a deployment ring structure.
-
-For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different.
-
-Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows client, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings.
-
-Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary.
-
-Table 1 provides an example of the deployment rings you might use.
-
-**Table 1**
-
-| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example |
-| --- | --- | --- | --- | --- |
-| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel |
-| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedbackPause updates if there are critical issues |
-| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization |
-
->[!NOTE]
->In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates.
-
-
-As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
-
-
-## Steps to manage updates for Windows client
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | Build deployment rings for Windows client updates (this topic) |
-|  | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
-
-
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 6460401d70..b5d5e02b67 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,5 +1,5 @@
---
-title: Integrate Windows Update for Business (Windows 10)
+title: Integrate Windows Update for Business
description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
ms.prod: w10
ms.mktglfcycl: manage
@@ -17,6 +17,7 @@ ms.topic: article
**Applies to**
- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -25,7 +26,7 @@ You can integrate Windows Update for Business deployments with existing manageme
## Integrate Windows Update for Business with Windows Server Update Services
-For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
+For Windows 10, version 1607 and later, devices can be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
@@ -34,7 +35,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f
**Configuration:**
-- Device is configured to defer Windows Quality Updates using Windows Update for Business
+- Device is configured to defer Windows quality updates using Windows Update for Business
- Device is also configured to be managed by WSUS
- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
- Admin has opted to put updates to Office and other products on WSUS
@@ -46,11 +47,11 @@ For Windows 10, version 1607, devices can now be configured to receive updates f
Third-party drivers
WSUS
WSUS
No
-### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business
+### Configuration example \#2: Excluding drivers from Windows quality updates using Windows Update for Business
**Configuration:**
-- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
+- Device is configured to defer Windows quality updates and to exclude drivers from Windows Update quality updates (**ExcludeWUDriversInQualityUpdate** = enabled)
- Device is also configured to be managed by WSUS
- Admin has opted to put Windows Update drivers on WSUS
@@ -66,7 +67,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f
**Configuration:**
-- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
+- Device is configured to defer quality updates using Windows Update for Business and to be managed by WSUS
- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server
@@ -86,26 +87,9 @@ In this example, the deferral behavior for updates to Office and other non-Windo
## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager
-For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
+For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service)
-- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index bc2accd828..bb91408f6f 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -16,24 +16,21 @@ ms.topic: article
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides.
-When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
-## Requirements for Windows 10 servicing with WSUS
+## Requirements for Windows client servicing with WSUS
-To be able to use WSUS to manage and deploy Windows 10 feature updates, you must use a supported WSUS version:
+To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS version:
- WSUS 10.0.14393 (role in Windows Server 2016)
- WSUS 10.0.17763 (role in Windows Server 2019)
- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
@@ -63,7 +60,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
- 
+ 
>[!NOTE]
>In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
@@ -76,13 +73,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin
7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
- 
+ 
8. In the **Configure Automatic Updates** dialog box, select **Enable**.
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
- 
+ 
>[!IMPORTANT]
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
@@ -94,12 +91,12 @@ When using WSUS to manage updates on Windows client devices, start by configurin
11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
-12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**.
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type `http://Your_WSUS_Server_FQDN:PortNumber`, and then select **OK**.
>[!NOTE]
>The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
- 
+ 
>[!NOTE]
>The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
@@ -109,7 +106,7 @@ As Windows clients refresh their computer policies (the default Group Policy ref
## Create computer groups in the WSUS Administration Console
>[!NOTE]
->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) as examples.
You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
@@ -119,7 +116,7 @@ You can use computer groups to target a subset of devices that have specific qua
2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
- 
+ 
3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
@@ -147,7 +144,7 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
2. Select both computers, right-click the selection, and then click **Change Membership**.
- 
+ 
3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
@@ -165,7 +162,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
- 
+ 
4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
@@ -182,7 +179,7 @@ The WSUS Administration Console provides a friendly interface from which you can
1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
- 
+ 
2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
@@ -206,7 +203,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
- 
+ 
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
@@ -216,7 +213,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
- 
+ 
> [!WARNING]
> The target group name must match the computer group name.
@@ -233,7 +230,7 @@ Now you’re ready to deploy this GPO to the correct computer security group for
3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
- 
+ 
The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
@@ -242,10 +239,11 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel, the devices in the Semi-Annual Channel will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
-**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
+**To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring**
+This example uses Windows 10, but the process is the same for Windows 11.
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
@@ -253,7 +251,7 @@ For clients that should have their feature updates approved as soon as they’re
3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
- 
+ 
4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
@@ -267,23 +265,23 @@ For clients that should have their feature updates approved as soon as they’re
8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
- 
+ 
9. In the **Automatic Approvals** dialog box, click **OK**.
>[!NOTE]
>WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
-Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+Now, whenever Windows client feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
> [!WARNING]
-> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
+> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows client version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
## Manually approve and deploy feature updates
You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. It might be best to approve update rules manually after your pilot deployment has been updated.
-To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+To simplify the manual approval process, start by creating a software update view that contains only Windows 10 (in this example) updates. The process is the same for Windows 11 updates.
> [!NOTE]
> If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer.
@@ -302,7 +300,7 @@ To simplify the manual approval process, start by creating a software update vie
5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
- 
+ 
Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
@@ -310,21 +308,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
2. Right-click the feature update you want to deploy, and then click **Approve**.
- 
+ 
3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
- 
+ 
4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
- 
+ 
5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
If the deployment is successful, you should receive a successful progress report.
- 
+ 
6. In the **Approval Progress** dialog box, click **Close**.
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 850d6cec44..dea3bbba22 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -1,5 +1,5 @@
---
-title: Windows Update for Business (Windows 10)
+title: Windows Update for Business
ms.reviewer:
manager: laurawi
description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
@@ -18,14 +18,15 @@ ms.custom: seo-marvel-apr2020
**Applies to**
- Windows 10
+- Windows 11
-Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions.
+Windows Update for Business is a free service that is available for all premium editions including Windows 10 and Windows 11 Pro, Enterprise, Pro for Workstation, and Education editions.
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated.
+Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated.
Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization.
@@ -46,7 +47,7 @@ Windows Update for Business enables an IT administrator to receive and manage a
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
-- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring.
+- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available.
- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates.
- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
- **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
@@ -62,16 +63,15 @@ You can defer or pause the installation of updates for a set period of time.
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:
-- Windows Insider Fast
-- Windows Insider Slow
-- Windows Insider Release Preview
-- Semi-Annual Channel
+- Windows Insider Dev
+- Windows Insider Beta
+- Windows Insider Preview
+- General Availability Channel
-Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days are calculated against a release’s Semi-Annual Channel release date. For exact release dates, see [Windows Release Information](/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
#### Defer an update
-A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy.
+A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
|Category |Maximum deferral period |
@@ -88,7 +88,7 @@ A Windows Update for Business administrator can defer the installation of both f
If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated.
If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
-To pause feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
+To pause feature updates, use the **Select when Preview Builds and feature updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
Built-in benefits:
When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks.
@@ -97,10 +97,10 @@ When updating from Windows Update, you get the added benefits of built-in compat
For the best experience with Windows Update, follow these guidelines:
-- Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
-- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
-- Make sure that devices have at least 10 GB of free space.
-- Give devices unobstructed access to the Windows Update service.
+- Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
+- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
+- Make sure that devices have at least 10 GB of free space.
+- Give devices unobstructed access to the Windows Update service.
### Manage the end-user experience when receiving Windows Updates
@@ -110,9 +110,9 @@ Windows Update for Business provides controls to help meet your organization’s
Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
-1. Automatically download, install, and restart (default if no restart policies are set up or enabled)
-2. Use the default notifications
-3. Set update deadlines
+1. Automatically download, install, and restart (default if no restart policies are set up or enabled).
+2. Use the default notifications.
+3. Set update deadlines.
##### Setting deadlines
@@ -121,101 +121,11 @@ A compliance deadline policy (released in June 2019) enables you to set separate
This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
#### Update Baseline
-The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
+
+The large number of different policies offered can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056).
>[!NOTE]
->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when.
+>The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
-
+
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index e3a2448009..9c115c5b15 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -1,121 +1,262 @@
-### YamlMime:Landing
+### YamlMime:Hub
-title: Windows client resources and documentation for IT Pros # < 60 chars
-summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars
+title: Windows client documentation for IT Pros # < 60 chars
+summary: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars
+# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-apps | power-automate | power-bi | power-platform | power-virtual-agents | sql | sql-server | vs | visual-studio | windows | xamarin
+brand: windows
metadata:
title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
- ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
- ms.subservice: subservice
- ms.topic: landing-page # Required
- ms.collection: windows-10
- author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
- ms.author: greglin #Required; microsoft alias of author; optional team alias.
- ms.date: 06/01/2020 #Required; mm/dd/yyyy format.
+ ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.subservice: subservice # Optional; Remove if no subservice is used.
+ ms.topic: hub-page # Required
+ ms.collection: windows-10 # Optional; Remove if no collection is used.
+ author: dougeby #Required; your GitHub user alias, with correct capitalization.
+ ms.author: dougeby #Required; microsoft alias of author; optional team alias.
+ ms.date: 10/01/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
-
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
-landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- - title: What's new
- linkLists:
- - linkListType: overview
- links:
- - text: Windows 11 overview
- url: /windows/whats-new/windows-11
- - text: Windows 11 requirements
- url: /windows/whats-new/windows-11-requirements
- - text: Plan for Windows 11
- url: /windows/whats-new/windows-11-plan
- - text: Prepare for Windows 11
- url: /windows/whats-new/windows-11-prepare
- - text: What's new in Windows 10, version 21H1
- url: /windows/whats-new/whats-new-windows-10-version-21H1
- - text: Windows release information
- url: /windows/release-health/release-information
+# highlightedContent section (optional)
+# Maximum of 8 items
+highlightedContent:
+# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+ items:
+ # Card
+ - title: Become a Windows Insider
+ itemType: overview
+ url: https://insider.windows.com
+ # Card
+ - title: See what's new in Windows release health
+ itemType: overview
+ url: /windows/release-health/
+ # Card
+ - title: Empower your hybrid workforce
+ itemType: overview
+ url: https://www.microsoft.com/microsoft-365/blog/2021/10/04/empower-your-hybrid-workforce-today-with-windows-11/
+
+# productDirectory section (optional)
+productDirectory:
+ title: Get to know Windows 11 # < 60 chars (optional)
+ summary: Learn more about what's new, what's updated, and what you get in Windows 11 # < 160 chars (optional)
+ items:
+ # Card
+ - title: What's new in Windows 11
+ imageSrc: /windows/resources/images/winlogo.svg
+ summary: Get more information about features and improvements that are important to admins
+ url: /windows/whats-new/windows-11-whats-new
+ - title: Windows 11 requirements
+ imageSrc: /windows/resources/images/winlogo.svg
+ summary: See the system requirements for Windows 11, including running Windows 11 on a virtual machine
+ url: /windows/whats-new/windows-11-requirements
+ - title: Learn more about Windows 11 Enterprise
+ imageSrc: /windows/resources/images/winlogo.svg
+ summary: Get more information on the features, security, and licensing plans designed for organizations
+ url: https://www.microsoft.com/microsoft-365/windows/windows-11-enterprise
+ - title: FAQ - Upgrade to Windows 11
+ imageSrc: /windows/resources/images/winlogo.svg
+ summary: See some common questions and answers when upgrading to Windows 11
+ url: https://support.microsoft.com/windows/upgrade-to-windows-11-faq-fb6206a2-1a0f-448a-80f1-8668ee5b2bf9
+ - title: Windows 11 chip to cloud protection - Security challenges of hybrid work
+ imageSrc: /windows/resources/images/winlogo.svg
+ summary: Blog from the Microsoft Windows Security Team
+ url: https://www.microsoft.com/security/blog/2021/10/04/windows-11-offers-chip-to-cloud-protection-to-meet-the-new-security-challenges-of-hybrid-work
+ - title: Trusted Platform Module (TPM)
+ imageSrc: /windows/resources/images/winlogo.svg
+ summary: Learn more about TPM, and why it's a good thing
+ url: /windows/security/information-protection/tpm/trusted-platform-module-overview
+
+# conceptualContent section (optional)
+conceptualContent:
+# Supports up to 3 sections
+# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+ title: Windows client resources and documentation for IT Pros
+ summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11.
+ items:
+ # card
+ - title: Overview
+ links:
+ - url: /windows/whats-new/windows-11-whats-new
+ itemType: overview
+ text: What's new in Windows 11
+ - url: /windows/whats-new/windows-11-plan
+ itemType: overview
+ text: Plan for Windows 11
+ - url: /windows/whats-new/windows-11-prepare
+ itemType: overview
+ text: Prepare for Windows 11
+ - url: /windows/whats-new/whats-new-windows-10-version-21H1
+ itemType: overview
+ text: What's new in Windows 10, version 21H1
+ - url: /windows/release-health/release-information
+ itemType: overview
+ text: Windows release information
# Card (optional)
- - title: Configuration
- linkLists:
- - linkListType: how-to-guide
- links:
- - text: Configure Windows
- url: /windows/configuration/index
- - text: Accessibility information for IT Pros
- url: /windows/configuration/windows-10-accessibility-for-itpros
- - text: Configure access to Microsoft Store
- url: /windows/configuration/stop-employees-from-using-microsoft-store
- - text: Set up a shared or guest PC
- url: /windows/configuration/set-up-shared-or-guest-pc
+ - title: Configuration
+ links:
+ - url: /windows/configuration/index
+ itemType: overview
+ text: Configure Windows
+ - url: /windows/configuration/provisioning-packages/provisioning-packages
+ itemType: how-to-guide
+ text: Use Provisioning packages to configure new devices
+ - url: /windows/configuration/windows-10-accessibility-for-itpros
+ itemType: overview
+ text: Accessibility information for IT Pros
+ - url: /windows/configuration/customize-start-menu-layout-windows-11
+ itemType: how-to-guide
+ text: Customize the Start menu layout
+ - url: /windows/configuration/stop-employees-from-using-microsoft-store
+ itemType: how-to-guide
+ text: Control access to Microsoft Store
+ - url: /windows/configuration/set-up-shared-or-guest-pc
+ itemType: how-to-guide
+ text: Set up a shared or guest PC
# Card (optional)
- - title: Deployment
- linkLists:
- - linkListType: deploy
- links:
- - text: Deploy and update Windows
- url: /windows/deployment/index
- - text: Windows deployment scenarios
- url: /windows/deployment/windows-10-deployment-scenarios
- - text: Create a deployment plan
- url: /windows/deployment/update/create-deployment-plan
- - text: Prepare to deploy Windows client
- url: /windows/deployment/update/prepare-deploy-windows
-
+ - title: Deployment
+ links:
+ - url: /windows/deployment/index
+ itemType: deploy
+ text: Deploy and update Windows
+ - url: /windows/deployment/windows-10-deployment-scenarios
+ itemType: deploy
+ text: Windows deployment scenarios
+ - url: /windows/deployment/update/create-deployment-plan
+ itemType: deploy
+ text: Create a deployment plan
+ - url: /windows/deployment/update/prepare-deploy-windows
+ itemType: deploy
+ text: Prepare to deploy Windows client
# Card
- - title: App management
- linkLists:
- - linkListType: how-to-guide
- links:
- - text: Windows application management
- url: /windows/application-management/index
- - text: Understand the different apps included in Windows 10
- url: /windows/application-management/apps-in-windows-10
- - text: Get started with App-V for Windows 10
- url: /windows/application-management/app-v/appv-getting-started
- - text: Keep removed apps from returning during an update
- url: /windows/application-management/remove-provisioned-apps-during-update
+ - title: App management
+ links:
+ - url: /windows/application-management/index
+ itemType: overview
+ text: Windows application management
+ - url: /windows/application-management/apps-in-windows-10
+ itemType: overview
+ text: Learn more about the different apps types for Windows
+ - url: /windows/application-management/private-app-repository-mdm-company-portal-windows-11
+ itemType: how-to-guide
+ text: Use the private app repo on Windows 11
+ - url: /windows/application-management/remove-provisioned-apps-during-update
+ itemType: how-to-guide
+ text: Keep removed apps from returning during an update
+ - url: https://blogs.windows.com/windowsdeveloper/2021/10/04/developing-for-windows-11/
+ itemType: overview
+ text: Blog - Develop apps for Windows 11
# Card
- - title: Client management
- linkLists:
- - linkListType: how-to-guide
- links:
- - text: Windows client management
- url: /windows/client-management/index
- - text: Administrative tools
- url: /windows/client-management/administrative-tools-in-windows-10
- - text: Create mandatory user profiles
- url: /windows/client-management/mandatory-user-profile
- - text: New policies for Windows 10
- url: /windows/client-management/new-policies-for-windows-10
- - text: Configuration service provider reference
- url: /windows/client-management/mdm/configuration-service-provider-reference
+ - title: Client management
+ links:
+
+ - url: /windows/client-management/index
+ itemType: overview
+ text: Windows client management
+ - url: /windows/client-management/administrative-tools-in-windows-10
+ itemType: overview
+ text: Administrative tools
+ - url: /windows/client-management/mandatory-user-profile
+ itemType: how-to-guide
+ text: Create mandatory user profiles
+ - url: /windows/client-management/new-policies-for-windows-10
+ itemType: overview
+ text: New policies for Windows 10
+ - url: /windows/client-management/mdm/configuration-service-provider-reference
+ itemType: reference
+ text: Configuration service provider reference
# Card (optional)
- - title: Security and Privacy
- linkLists:
- - linkListType: how-to-guide
- links:
- - text: Windows Enterprise Security
- url: /windows/security/index
- - text: Windows Privacy
- url: /windows/privacy/index
- - text: Identity and access management
- url: /windows/security/identity-protection/index
- - text: Threat protection
- url: /windows/security/threat-protection/index
- - text: Information protection
- url: /windows/security/information-protection/index
- - text: Required diagnostic data
- url: /windows/privacy/required-windows-diagnostic-data-events-and-fields-2004
- - text: Optional diagnostic data
- url: /windows/privacy/windows-diagnostic-data
- - text: Changes to Windows diagnostic data collection
- url: /windows/privacy/changes-to-windows-diagnostic-data-collection
\ No newline at end of file
+ - title: Security and Privacy
+ links:
+ - url: /windows/security/index
+ itemType: overview
+ text: Windows Enterprise Security
+ - url: /windows/privacy/index
+ itemType: overview
+ text: Windows Privacy
+ - url: /windows/security/hardware
+ itemType: overview
+ text: Hardware security
+ - url: /windows/security/operating-system
+ itemType: overview
+ text: Operating system security
+ - url: /windows/security/apps
+ itemType: overview
+ text: Application security
+ - url: /windows/security/identity
+ itemType: overview
+ text: User and identity security
+ - url: /windows/security/cloud
+ itemType: overview
+ text: Cloud services
+
+# additionalContent section (optional)
+# Card with summary style
+additionalContent:
+ # Supports up to 4 subsections
+ sections:
+ - title: More Windows resources # < 60 chars (optional)
+ items:
+ # Card
+ - title: Windows product site
+ summary: Find out how Windows enables your business to do more
+ url: https://www.microsoft.com/microsoft-365/windows
+ - title: "Windows 11: A new era for the PC begins today"
+ summary: Blog article that describes how Windows 11 empowers you to produce and inspires you to create
+ url: https://blogs.windows.com/windowsexperience/2021/10/04/windows-11-a-new-era-for-the-pc-begins-today/
+ - title: Windows IT Pro blogs
+ summary: The latest Windows blog articles for the IT Pro
+ url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
+ - title: Windows blogs
+ summary: Keep up with the latest news about Windows
+ url: https://blogs.windows.com/
+ - title: Participate in the Tech Community
+ summary: Learn how to be part of the Windows Tech Community
+ url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10
+ - title: Ask the community
+ summary: Get help, and help others
+ url: https://answers.microsoft.com/windows/forum
+
+ - title: Other resources
+ items:
+ - title: Microsoft Endpoint Manager
+ links:
+ - text: Microsoft Endpoint Manager documentation
+ url: /mem
+ - text: Overview of Microsoft Endpoint Manager
+ url: /mem/endpoint-manager-overview
+ - text: Getting started with Microsoft Endpoint Manager
+ url: /mem/endpoint-manager-getting-started
+ - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11
+ url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886
+ - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager
+ url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866
+ - text: Microsoft Endpoint Manager blog
+ url: https://aka.ms/memblog
+ - title: Windows 365
+ links:
+ - text: Windows 365 documentation
+ url: /windows-365
+ - text: What is Windows 365
+ url: /windows-365/overview
+ - text: Windows 365 Enterprise now supports Windows 11
+ url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-365-enterprise-now-supports-windows-11/ba-p/2810334
+ - text: Windows 365 blog
+ url: https://www.microsoft.com/microsoft-365/blog/
+
+ - title: Windows Server
+ links:
+ - text: Windows Server documentation
+ url: /windows-server
+ - text: What's new in Windows Server 2022?
+ url: /windows-server/get-started/whats-new-in-windows-server-2022
+ - text: Get started with Windows Server
+ url: /windows-server/get-started/get-started-with-windows-server
+ - text: Windows Server blog
+ url: https://cloudblogs.microsoft.com/windowsserver/
diff --git a/windows/manage/TOC.yml b/windows/manage/TOC.yml
new file mode 100644
index 0000000000..892ce64421
--- /dev/null
+++ b/windows/manage/TOC.yml
@@ -0,0 +1,2 @@
+- name: Test
+ href: test.md
diff --git a/windows/manage/test.md b/windows/manage/test.md
new file mode 100644
index 0000000000..36d16a3f6b
--- /dev/null
+++ b/windows/manage/test.md
@@ -0,0 +1,19 @@
+---
+title: Test
+description: Test
+ms.prod: w11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: dstrome
+ms.author: dstrome
+ms.reviewer:
+manager: dstrome
+ms.topic: article
+---
+
+# Test
+
+## Deployment planning
+
+This article provides guidance to help you plan for Windows 11 in your organization.
+
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 5852e85928..32ba2bc16a 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -21,7 +21,8 @@ ms.reviewer:
**Applies to**
-- Windows 10, version 1803 and newer
+- Windows 11
+- Windows 10, version 1803 and later
- Windows Server, version 1803
- Windows Server 2019
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 2abc6b7ebe..a2c09c70c3 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 04/28/2021
+ms.date:
ms.reviewer:
---
@@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
+- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
+- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@@ -2692,7 +2693,7 @@ The following fields are available:
- **Slot** Slot to which the DRAM is plugged into the motherboard.
- **Speed** The configured memory slot speed in MHz.
- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2.
-- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
+- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
@@ -6247,6 +6248,21 @@ The following fields are available:
- **ResultId** The final result of the interaction campaign.
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
+- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
+- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
+- **InteractionCampaignID** The ID of the interaction campaign that was processed.
+- **ResultId** The result of the evaluation/presentation.
+- **WasCompleted** True if the interaction campaign is complete.
+- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -6278,6 +6294,20 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
+
+This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
+- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
+- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
+- **ResultId** The result generated by the evaluation and presentation.
+- **WasCompleted** True if the user interaction campaign is complete.
+- **WasPresented** True if the user interaction campaign is displayed to the user.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 6dc4ef0157..2c105c0127 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 04/28/2021
+ms.date:
ms.reviewer:
---
@@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
+- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
+- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@@ -2734,8 +2735,8 @@ The following fields are available:
- **Model** Model and sub-model of the memory
- **Slot** Slot to which the DRAM is plugged into the motherboard.
- **Speed** The configured memory slot speed in MHz.
-- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2.
-- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
+- **Type** Reports DDR as an enumeration value per DMTF SMBIOS standard version 3.3.0, section 7.18.2.
+- **TypeDetails** Reports Non-volatile as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
@@ -6409,6 +6410,21 @@ The following fields are available:
- **ResultId** The final result of the interaction campaign.
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
+- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
+- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
+- **InteractionCampaignID** The ID of the interaction campaign that was processed.
+- **ResultId** The result of the evaluation/presentation.
+- **WasCompleted** True if the interaction campaign is complete.
+- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -6440,6 +6456,20 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
+
+This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
+- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
+- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
+- **ResultId** The result generated by the evaluation and presentation.
+- **WasCompleted** True if the user interaction campaign is complete.
+- **WasPresented** True if the user interaction campaign is displayed to the user.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 8a5eb64108..89feae1164 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 04/28/2021
+ms.date:
ms.reviewer:
---
@@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
+- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
+- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@@ -43,7 +44,6 @@ You can learn more about Windows functional and diagnostic data through these ar
-
## Appraiser events
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
@@ -3007,6 +3007,32 @@ The following fields are available:
- **WDDMVersion** The Windows Display Driver Model version.
+### DxgKrnlTelemetry.GPUAdapterStop
+
+This event collects information about an adapter when it stops. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **AdapterLuid** Local Identifier for the adapter.
+- **AdapterTypeValue** Numeric value indicating the type of the adapter.
+- **DriverDate** Date of the driver.
+- **DriverVersion** Version of the driver.
+- **GPUDeviceID** Device identifier for the adapter.
+- **GPUVendorID** Vendor identifier for the adapter.
+- **InterfaceId** Identifier for the adapter.
+- **IsDetachable** Boolean value indicating whether the adapter is removable or detachable.
+- **IsDisplayDevice** Boolean value indicating whether the adapter has display capabilities.
+- **IsHybridDiscrete** Boolean value indicating whether the adapter is a discrete adapter in a hybrid configuration.
+- **IsHybridIntegrated** Boolean value indicating whether the adapter is an integrated adapter in a hybrid configuration.
+- **IsRenderDevice** Boolean value indicating whether the adapter has rendering capabilities.
+- **IsSoftwareDevice** Boolean value indicating whether the adapter is implemented in software.
+- **IsSurpriseRemoved** Boolean value indicating whether the adapter was surprise removed.
+- **SubSystemID** Subsystem identifier for the adapter.
+- **SubVendorID** Sub-vendor identifier for the adapter.
+- **version** Version of the schema for this event.
+- **WDDMVersion** Display driver model version for the driver.
+
+
## Failover Clustering events
### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
@@ -3674,7 +3700,7 @@ The following fields are available:
- **Slot** Slot to which the DRAM is plugged into the motherboard.
- **Speed** The configured memory slot speed in MHz.
- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2.
-- **TypeDetails** Reports Non-volatile as a bit flag enumeration per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
+- **TypeDetails** Reports Non-volatile as a bit flag enumeration as per the DMTF SMBIOS standard version 3.3.0, section 7.18.3.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
@@ -4340,6 +4366,11 @@ The following fields are available:
- **winInetError** The HResult of the operation.
+
+## Other events
+
+
+
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -5444,6 +5475,7 @@ The following fields are available:
- **pszBatteryDataXml** Battery performance data.
- **szBatteryInfo** Battery performance data.
+
## Update Assistant events
### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
@@ -8032,6 +8064,21 @@ The following fields are available:
- **ResultId** The final result of the interaction campaign.
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
+- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
+- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
+- **InteractionCampaignID** The ID of the interaction campaign that was processed.
+- **ResultId** The result of the evaluation/presentation.
+- **WasCompleted** True if the interaction campaign is complete.
+- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 99cc79b6ea..e170e13dbe 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 04/29/2021
+ms.date:
ms.reviewer:
---
@@ -24,7 +24,6 @@ ms.reviewer:
- Windows 10, version 1809
-
The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
@@ -33,7 +32,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
+- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
+- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@@ -312,7 +312,7 @@ The following fields are available:
- **DatasourceApplicationFile_19H1Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_20H1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device.
@@ -324,11 +324,11 @@ The following fields are available:
- **DatasourceApplicationFile_TH1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_TH2** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_19ASetup** The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_19H1** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_19H1Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_20H1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device.
@@ -344,7 +344,7 @@ The following fields are available:
- **DatasourceDriverPackage_19H1Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_20H1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device.
@@ -360,7 +360,7 @@ The following fields are available:
- **DataSourceMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_20H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@@ -376,7 +376,7 @@ The following fields are available:
- **DataSourceMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_20H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@@ -392,7 +392,7 @@ The following fields are available:
- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@@ -408,7 +408,7 @@ The following fields are available:
- **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_20H1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device.
-- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device.
@@ -424,7 +424,7 @@ The following fields are available:
- **DecisionApplicationFile_19H1Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_20H1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device.
-- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device.
@@ -440,7 +440,7 @@ The following fields are available:
- **DecisionDevicePnp_19H1Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_20H1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device.
-- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device.
@@ -456,7 +456,7 @@ The following fields are available:
- **DecisionDriverPackage_19H1Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_20H1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device.
-- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device.
@@ -472,7 +472,7 @@ The following fields are available:
- **DecisionMatchingInfoBlock_19H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_20H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@@ -488,7 +488,7 @@ The following fields are available:
- **DecisionMatchingInfoPassive_19H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_20H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@@ -504,7 +504,7 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_19H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_20H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@@ -520,7 +520,7 @@ The following fields are available:
- **DecisionMediaCenter_19H1Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_20H1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device.
-- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device.
@@ -536,7 +536,7 @@ The following fields are available:
- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_20H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device.
-- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_RS1** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS2** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS3** The total number of objects of this type present on this device.
@@ -579,7 +579,7 @@ The following fields are available:
- **Wmdrm_19H1Setup** The total number of objects of this type present on this device.
- **Wmdrm_20H1** The total number of objects of this type present on this device.
- **Wmdrm_20H1Setup** The total number of objects of this type present on this device.
-- **Wmdrm_21H1Setup** The total number of objects of this type present on this device.
+- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device.
- **Wmdrm_RS1** The total number of objects of this type present on this device.
- **Wmdrm_RS2** The total number of objects of this type present on this device.
- **Wmdrm_RS3** The total number of objects of this type present on this device.
@@ -1219,6 +1219,28 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
+### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryAdd
+
+This event sends compatibility decision data about the system memory to help keep Windows up to date. Microsoft uses this information to understand and address problems regarding system memory for computers receiving updates.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Blocking** Blocking information.
+- **BlockingSystemGeneralScenario** Decision about upgrade eligibility based on RAM.
+- **MemoryRequirementViolated** Memory information.
+- **SystemRequirementViolatedGeneral** System requirement information.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync
+
+The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd
This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date.
@@ -1243,6 +1265,34 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelAdd
+
+This event sends true/false compatibility decision data about the CPU. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Armv81Support** Arm v8.1 Atomics support.
+- **Blocking** Appraiser decision about eligibility to upgrade.
+- **CpuFamily** Cpu family.
+- **CpuModel** Cpu model.
+- **CpuStepping** Cpu stepping.
+- **CpuVendor** Cpu vendor.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync
+
+The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd
This event sends compatibility decision data about the CPU, to help keep Windows up to date.
@@ -4796,6 +4846,29 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd
+
+This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **Manufacturer** Sensor manufacturer.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorStartSync
+
+This event indicates that a new set of InventoryDeviceSensor events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
@@ -5128,7 +5201,7 @@ The following fields are available:
- **FirmwareResetReasonPch** Reason for system reset provided by firmware.
- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed.
- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware.
-- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See IO.
+- **IO** Amount of data written to and read from the disk by the OS Loader during boot.
- **LastBootSucceeded** Flag indicating whether the last boot was successful.
- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful.
- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb.
@@ -6940,6 +7013,8 @@ The following fields are available:
- **pszBatteryDataXml** Battery performance data.
- **szBatteryInfo** Battery performance data.
+
+
## System Resource Usage Monitor events
### Microsoft.Windows.Srum.Sdp.CpuUsage
@@ -7772,7 +7847,7 @@ The following fields are available:
- **DPRange** Maximum mean value range.
- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean.
-- **Value** Standard UTC emitted DP value structure See Value.
+- **Value** Standard UTC emitted DP value structure.
## Windows Store events
@@ -8161,7 +8236,7 @@ The following fields are available:
### Microsoft.Windows.Kits.WSK.WskImageCreate
-This event sends simple data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly.
+This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -8176,7 +8251,7 @@ The following fields are available:
### Microsoft.Windows.Kits.WSK.WskImageCustomization
-This event sends simple data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly.
+This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -9596,6 +9671,21 @@ The following fields are available:
- **PackageVersion** Current package version of remediation.
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
+- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
+- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
+- **InteractionCampaignID** The ID of the interaction campaign that was processed.
+- **ResultId** The result of the evaluation/presentation.
+- **WasCompleted** True if the interaction campaign is complete.
+- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -9627,6 +9717,72 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHBeginPresentation
+
+This event is generated when RUXIM is about to present an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **InteractionCampaignID** GUID identifying interaction campaign being presented.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHEndPresentation
+
+This event is generated when Interaction Handler completes presenting an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hrPresentation** Error, if any, occurring during the presentation.
+- **InteractionCampaignID** GUID identifying the interaction campaign being presented.
+- **ResultId** Result generated by the presentation.
+- **WasCompleted** True if the interaction campaign is now considered complete.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
+
+This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
+- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
+- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
+- **ResultId** The result generated by the evaluation and presentation.
+- **WasCompleted** True if the user interaction campaign is complete.
+- **WasPresented** True if the user interaction campaign is displayed to the user.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
+
+This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch
+
+This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CommandLine** The command line used to launch RUXIMIH.
+- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation
+
+This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.)
+- **Id** GUID passed in by the caller to identify the evaluation.
+- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation.
+- **Result** Overall result generated by the evaluation.
+
+
## Windows Update mitigation events
### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 23b3637f84..7cd176eb53 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 04/29/2021
+ms.date:
---
@@ -38,7 +38,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
+- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
+- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@@ -276,6 +277,8 @@ The following fields are available:
- **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device.
@@ -289,6 +292,8 @@ The following fields are available:
- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device.
@@ -305,6 +310,8 @@ The following fields are available:
- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device.
@@ -321,6 +328,8 @@ The following fields are available:
- **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@@ -334,6 +343,8 @@ The following fields are available:
- **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@@ -347,6 +358,8 @@ The following fields are available:
- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@@ -361,6 +374,8 @@ The following fields are available:
- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_21H1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device.
@@ -377,6 +392,8 @@ The following fields are available:
- **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_21H1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device.
@@ -390,6 +407,8 @@ The following fields are available:
- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_21H1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device.
@@ -406,6 +425,8 @@ The following fields are available:
- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_21H1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device.
@@ -422,6 +443,8 @@ The following fields are available:
- **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@@ -435,6 +458,8 @@ The following fields are available:
- **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@@ -448,6 +473,8 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@@ -461,6 +488,8 @@ The following fields are available:
- **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_21H1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device.
@@ -468,8 +497,19 @@ The following fields are available:
- **DecisionMediaCenter_RS5** The total number of objects of this type present on this device.
- **DecisionMediaCenter_TH1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_TH2** The total number of objects of this type present on this device.
+- **DecisionSModeState_19H1** The total number of objects of this type present on this device.
- **DecisionSModeState_20H1** The total number of objects of this type present on this device.
+- **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSModeState_21H1** The total number of objects of this type present on this device.
+- **DecisionSModeState_21H2** The total number of objects of this type present on this device.
+- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS1** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS2** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS3** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS4** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS5** The total number of objects of this type present on this device.
+- **DecisionSModeState_TH1** The total number of objects of this type present on this device.
+- **DecisionSModeState_TH2** The total number of objects of this type present on this device.
- **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device.
- **DecisionSystemBios_19H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device.
@@ -477,6 +517,8 @@ The following fields are available:
- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_21H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS1** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS2** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS3** The total number of objects of this type present on this device.
@@ -487,22 +529,79 @@ The following fields are available:
- **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_TH1** The total number of objects of this type present on this device.
- **DecisionSystemBios_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device.
- **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device.
- **DecisionSystemMemory_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemMemory_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device.
- **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device.
- **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device.
- **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device.
- **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device.
- **DecisionTest_19H1** The total number of objects of this type present on this device.
- **DecisionTest_20H1** The total number of objects of this type present on this device.
- **DecisionTest_20H1Setup** The total number of objects of this type present on this device.
- **DecisionTest_21H1** The total number of objects of this type present on this device.
- **DecisionTest_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionTest_21H2** The total number of objects of this type present on this device.
+- **DecisionTest_21H2Setup** The total number of objects of this type present on this device.
- **DecisionTest_RS1** The total number of objects of this type present on this device.
- **DecisionTest_RS2** The total number of objects of this type present on this device.
- **DecisionTest_RS3** The total number of objects of this type present on this device.
@@ -510,10 +609,32 @@ The following fields are available:
- **DecisionTest_RS5** The total number of objects of this type present on this device.
- **DecisionTest_TH1** The total number of objects of this type present on this device.
- **DecisionTest_TH2** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device.
- **DecisionTpmVersion_20H1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device.
- **DecisionTpmVersion_21H1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device.
- **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device.
- **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device.
- **InventoryApplicationFile** The total number of objects of this type present on this device.
- **InventoryDeviceContainer** The total number of objects of this type present on this device.
- **InventoryDevicePnp** The total number of objects of this type present on this device.
@@ -543,6 +664,8 @@ The following fields are available:
- **Wmdrm_20H1Setup** The total number of objects of this type present on this device.
- **Wmdrm_21H1** The total number of objects of this type present on this device.
- **Wmdrm_21H1Setup** The total number of objects of this type present on this device.
+- **Wmdrm_21H2** The total number of objects of this type present on this device.
+- **Wmdrm_21H2Setup** The total number of objects of this type present on this device.
- **Wmdrm_RS1** The total number of objects of this type present on this device.
- **Wmdrm_RS2** The total number of objects of this type present on this device.
- **Wmdrm_RS3** The total number of objects of this type present on this device.
@@ -1173,6 +1296,31 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
+### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryAdd
+
+This event sends compatibility decision data about the system memory to help keep Windows up to date. Microsoft uses this information to understand and address problems regarding system memory for computers receiving updates.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Blocking** Blocking information.
+- **MemoryRequirementViolated** Memory information.
+- **ramKB** Memory information in KB.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync
+
+The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd
This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date.
@@ -1212,6 +1360,8 @@ The following fields are available:
- **CpuModel** Cpu model.
- **CpuStepping** Cpu stepping.
- **CpuVendor** Cpu vendor.
+- **PlatformId** CPU platform identifier.
+- **SysReqOverride** Appraiser decision about system requirements override.
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync
@@ -1294,6 +1444,7 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
- **Blocking** Appraiser upgradeability decision based on the device's TPM support.
+- **SysReqOverride** Appraiser decision about system requirements override.
- **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device.
@@ -1534,7 +1685,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryTestAdd
-This event provides diagnostic data for testing event adds.
+This event provides diagnostic data for testing event adds to help keep windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2422,6 +2573,7 @@ The following fields are available:
- **ProcessorManufacturer** Name of the processor manufacturer.
- **ProcessorModel** Name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **ProcessorPlatformSpecificField1** Registry value HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0, @Platform Specific Field 1. Platform Specific Field 1 of the Processor. Each vendor (e.g. Intel) defines the meaning differently. On Intel this is used to differentiate processors of the same generation, (e.g. Kaby Lake, KBL-G, KBL-H, KBL-R).
- **ProcessorUpdateRevision** The microcode revision.
- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status
- **SocketCount** Count of CPU sockets.
@@ -3193,6 +3345,7 @@ The following fields are available:
- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
- **CanReportScenarios** True if we can report scenario completions, false otherwise.
+- **IsProcessorMode** True if it is Processor Mode, false otherwise.
- **PreviousPermissions** Bitmask of previous telemetry state.
- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
@@ -3734,6 +3887,19 @@ The following fields are available:
- **CV_new** New correlation vector.
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
+
+This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. The data collected with this event is used to help keep Windows secure and up to date.
@@ -3748,6 +3914,19 @@ The following fields are available:
- **hResult** HRESULT of the failure.
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
+
+This event indicates that the Handler Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.run
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
+
+
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded
This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded. The data collected with this event is used to help keep Windows secure and up to date.
@@ -4108,6 +4287,7 @@ The following fields are available:
- **DriverInfSectionName** Name of the DDInstall section within the driver INF file.
- **DriverPackageId** The ID of the driver package that is staged to the driver store.
- **DriverProvider** The driver manufacturer or provider.
+- **DriverShimIds** List of driver shim IDs.
- **DriverUpdated** Indicates whether the driver is replacing an old driver.
- **DriverVersion** The version of the driver file.
- **EndTime** The time the installation completed.
@@ -4171,9 +4351,11 @@ The following fields are available:
- **DeviceInstanceId** The unique identifier of the device in the system.
- **FirstInstallDate** The first time a driver was installed on this device.
+- **InstallFlags** Flag indicating how driver setup was called.
- **LastDriverDate** Date of the driver that is being replaced.
- **LastDriverInbox** Indicates whether the previous driver was included with Windows.
- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced.
+- **LastDriverPackageId** ID of the driver package installed on the device before the current install operation began. ID contains the name + architecture + hash.
- **LastDriverVersion** The version of the driver that is being replaced.
- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT).
- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT).
@@ -4475,43 +4657,43 @@ This event captures basic checksum data about the device inventory items stored
The following fields are available:
-- **Device** A count of device objects in the cache.
-- **DeviceCensus** A count of device census objects in the cache.
-- **DriverPackageExtended** A count of driverpackageextended objects in the cache.
-- **File** A count of file objects in the cache.
-- **FileSigningInfo** A count of file signing objects in the cache.
-- **Generic** A count of generic objects in the cache.
-- **HwItem** A count of hwitem objects in the cache.
-- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health record objects in the cache.
-- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version element objects in the cache.
-- **InventoryApplication** A count of application objects in the cache.
-- **InventoryApplicationAppV** A count of application AppV objects in the cache.
-- **InventoryApplicationDriver** A count of application driver objects in the cache
-- **InventoryApplicationFile** A count of application file objects in the cache.
-- **InventoryApplicationFramework** A count of application framework objects in the cache
-- **InventoryApplicationShortcut** A count of application shortcut objects in the cache
-- **InventoryDeviceContainer** A count of device container objects in the cache.
-- **InventoryDeviceInterface** A count of Plug and Play device interface objects in the cache.
-- **InventoryDeviceMediaClass** A count of device media objects in the cache.
-- **InventoryDevicePnp** A count of device Plug and Play objects in the cache.
-- **InventoryDeviceSensor** A count of device sensor objects in the cache.
-- **InventoryDeviceUsbHubClass** A count of device usb objects in the cache
-- **InventoryDriverBinary** A count of driver binary objects in the cache.
-- **InventoryDriverPackage** A count of device objects in the cache.
-- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in the cache
-- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in the cache.
-- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in the cache.
-- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in the cache.
-- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in the cache.
-- **InventoryMiscellaneousOfficeProducts** A count of office products objects in the cache.
-- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in the cache.
-- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in the cache.
-- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in the cache.
-- **InventoryMiscellaneousUUPInfo** A count of uup info objects in the cache.
-- **InventoryVersion** The version of the inventory components.
-- **Metadata** A count of metadata objects in the cache.
-- **Orphan** A count of orphan file objects in the cache.
-- **Programs** A count of program objects in the cache.
+- **Device** A count of device objects in cache.
+- **DeviceCensus** A count of device census objects in cache.
+- **DriverPackageExtended** A count of driverpackageextended objects in cache.
+- **File** A count of file objects in cache.
+- **FileSigningInfo** A count of file signing objects in cache.
+- **Generic** A count of generic objects in cache.
+- **HwItem** A count of hwitem objects in cache.
+- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health records in cache.
+- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache.
+- **InventoryApplication** A count of application objects in cache.
+- **InventoryApplicationAppV** A count of application AppV objects in cache.
+- **InventoryApplicationDriver** A count of application driver objects in cache.
+- **InventoryApplicationFile** A count of application file objects in cache.
+- **InventoryApplicationFramework** A count of application framework objects in cache.
+- **InventoryApplicationShortcut** A count of application shortcut objects in cache.
+- **InventoryDeviceContainer** A count of device container objects in cache.
+- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass** A count of device media objects in cache.
+- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
+- **InventoryDeviceSensor** A count of device sensors in cache.
+- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache.
+- **InventoryDriverPackage** A count of device objects in cache.
+- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache
+- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache.
+- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache.
+- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache.
+- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache.
+- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache.
+- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache.
+- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache.
+- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache.
+- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **Metadata** A count of metadata objects in cache.
+- **Orphan** A count of orphan file objects in cache.
+- **Programs** A count of program objects in cache.
### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
@@ -4550,6 +4732,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
+- **AndroidPackageId** A unique identifier for an Android app.
- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
@@ -4821,7 +5004,7 @@ The following fields are available:
- **HWID** The version of the driver loaded for the device.
- **Inf** The bus that enumerated the device.
- **InstallDate** The date of the most recent installation of the device on the machine.
-- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx)
+- **InstallState** The device installation state. For a list of values, see [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx).
- **InventoryVersion** List of hardware ids for the device.
- **LowerClassFilters** Lower filter class drivers IDs installed for the device
- **LowerFilters** Lower filter drivers IDs installed for the device
@@ -5326,9 +5509,10 @@ The following fields are available:
- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -5351,15 +5535,17 @@ The following fields are available:
- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end.
- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
- **Channel** An integer indicating the channel of the installation (Canary or Dev).
- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -5391,9 +5577,10 @@ The following fields are available:
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -5423,9 +5610,10 @@ The following fields are available:
- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -5456,10 +5644,13 @@ The following fields are available:
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appLastLaunchTime** The time when browser was last launched.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
@@ -5476,9 +5667,11 @@ The following fields are available:
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventPackageCacheResult** Indicates whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key; 2 means there's a cache hit under a different key; 0 means that there's a cache miss; -1 means the field does not apply.
- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'.
- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
@@ -5537,9 +5730,10 @@ The following fields are available:
- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -5753,27 +5947,6 @@ The following fields are available:
- **ModelName** Windows Mixed Reality device model name.
- **SerialNumber** Windows Mixed Reality device serial number.
-
-## OneDrive events
-
-### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
-
-This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
-
-The following fields are available:
-
-- **CurrentOneDriveVersion** The current version of OneDrive.
-- **CurrentOSBuildBranch** The current branch of the operating system.
-- **CurrentOSBuildNumber** The current build number of the operating system.
-- **CurrentOSVersion** The current version of the operating system.
-- **HResult** The HResult of the operation.
-- **SourceOSBuildBranch** The source branch of the operating system.
-- **SourceOSBuildNumber** The source build number of the operating system.
-- **SourceOSVersion** The source version of the operating system.
-
-
-## ONNX runtime events
-
### Microsoft.ML.ONNXRuntime.ProcessInfo
This event collects information when an application loads ONNXRuntime.dll. The data collected with this event is used to keep Windows product and service performing properly.
@@ -5798,6 +5971,23 @@ The following fields are available:
- **totalRunDuration** Total running/evaluation time from last time.
- **totalRuns** Total number of running/evaluation from last time.
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
+
+This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CurrentOneDriveVersion** The current version of OneDrive.
+- **CurrentOSBuildBranch** The current branch of the operating system.
+- **CurrentOSBuildNumber** The current build number of the operating system.
+- **CurrentOSVersion** The current version of the operating system.
+- **HResult** The HResult of the operation.
+- **SourceOSBuildBranch** The source branch of the operating system.
+- **SourceOSBuildNumber** The source build number of the operating system.
+- **SourceOSVersion** The source version of the operating system.
+
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -5826,7 +6016,386 @@ The following fields are available:
- **userRegionCode** The current user's region setting
-## Quality Update Assistant events
+## Update Assistant events
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked
+
+This event indicates that an update detection has occurred and the targeted install has been blocked. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **ExpeditePolicyId** The policy id of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** An Update Id of the LCU expected to be expedited
+- **ExpediteUpdatesInProgress** A list of update IDs in progress.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **ExpediteUsoLastError** The last error returned by USO
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version of the label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteCompleted
+
+This event indicates that the update has been completed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **ExpeditePolicyId** The policy Id of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** The Update Id of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** The list of update IDs in progress.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version of the label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted
+
+This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** List of update IDs in progress.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted
+
+This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **ExpeditePolicyId** The policy Id of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** A list of update IDs in progress.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted
+
+This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** List of update IDs in progress.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterAlreadyExpectedUbr
+
+This event indicates that the device is already on the expected UBR. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpediteErrorBitMap** Bit map value for any error code.
+- **ExpeditePolicyId** The policy id of the expedite request.
+- **ExpediteResult** Boolean value for success or failure.
+- **ExpediteUpdaterCurrentUbr** The ubr of the device.
+- **ExpediteUpdaterExpectedUbr** The expected ubr of the device.
+- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited.
+- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr
+
+This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpediteErrorBitMap** Bit map value for any error code.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteResult** Boolean value for success or failure.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootComplete
+
+This event indicates that the expedite update is completed with reboot. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpeditePolicyId** The policy id of the expedite request.
+- **ExpediteResult** Boolean value for success or failure.
+- **ExpediteUpdaterCurrentUbr** The ubr of the device.
+- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited.
+- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore.
+- **ExpediteUpdatesInProgress** Comma delimited list of updates in progress.
+- **ExpediteUsoCorrelationVector** The current USO correlation vector as surfaced from the USO store.
+- **ExpediteUsoLastError** The last error as surfaced from the USO store.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired
+
+This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** Comma delimited list of update IDs currently being offered.
+- **ExpediteUsoCorrelationVector** The correlation vector from the USO session.
+- **ExpediteUsoLastError** Last HResult from the current USO session.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanCompleted
+
+This event sends results of the expedite USO scan. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpediteCbsServicingInProgressStatus** True if servicing is in progress in cbs for the device.
+- **ExpediteErrorBitMap** Bit map value for any error code.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteResult** Boolean value for success or failure.
+- **ExpediteScheduledTaskCreated** Indicates whether the scheduled task was created (true/false).
+- **ExpediteScheduledTaskHresult** HRESULT for scheduled task creation.
+- **ExpediteUpdaterCurrentUbr** The UBR of the device.
+- **ExpediteUpdaterExpectedUbr** The expected UBR of the device.
+- **ExpediteUpdaterMonitorResult** HRESULT of the USO monitoring.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdaterScanResult** HRESULT of the expedite USO scan.
+- **ExpediteUpdaterUsoResult** HRESULT of the USO initialization and resume API calls.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false).
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted
+
+This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpediteErrorBitMap** Bit map value for any error code.
+- **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy.
+- **ExpeditePolicyId** The policy Id of the expedite request.
+- **ExpediteResult** Boolean value for success or failure.
+- **ExpediteUpdaterCurrentUbr** The UBR of the device.
+- **ExpediteUpdaterExpectedUbr** The expected UBR of the device.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdaterUsoIntiatedScan** True when USO scan has been called.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false).
+
+
+### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerEnd
+
+This event indicates that the unified installer has completed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** The event counter for telemetry events on the device for currency tools.
+- **PackageVersion** The package version label for currency tools.
+- **UnifiedInstallerInstallResult** The final result code for the unified installer.
+- **UnifiedInstallerPlatformResult** The result code from determination of the platform type.
+- **UnifiedInstallerPlatformType** The enum indicating the platform type.
+
+
+### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerStart
+
+This event indicates that the installation has started for the unified installer. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** Counts the events at the global level for telemetry.
+- **PackageVersion** The package version for currency tools.
+- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined.
+- **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy.
+- **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy.
+- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ.
+- **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined.
+- **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined.
+- **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU.
+- **UnifiedInstallerDeviceIsEducationSkuHresult** The result code from checking whether a device is Education SKU.
+- **UnifiedInstallerDeviceIsEnterpriseSku** Boolean indicating whether a device is Enterprise SKU.
+- **UnifiedInstallerDeviceIsEnterpriseSkuHresult** The result code from checking whether a device is Enterprise SKU.
+- **UnifiedInstallerDeviceIsHomeSku** Boolean indicating whether a device is Home SKU.
+- **UnifiedInstallerDeviceIsHomeSkuHresult** The result code from checking whether device is Home SKU.
+- **UnifiedInstallerDeviceIsMdmManaged** Boolean indicating whether a device is MDM managed.
+- **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed.
+- **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU.
+- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
+- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
+- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
+- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
+- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
+- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsBlobNotificationRetrieved
+
+This event is sent when a blob notification is received. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version of the label.
+- **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded
+
+This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of remediation.
+- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise.
+- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed
+
+This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Telemetry event counter.
+- **PackageVersion** Version label of the package sending telemetry.
+- **UpdateHealthToolsEnterpriseActionResult** Result of running the tool expressed as an HRESULT.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationCompleted
+
+This event is received when a push notification has been completed by the UpdateHealthTools service. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+- **UpdateHealthToolsEnterpriseActionResult** The HRESULT return by the enterprise action.
+- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationReceived
+
+This event is received when the UpdateHealthTools service receives a push notification. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
+- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
+- **UpdateHealthToolsPushCurrentChannel** The channel used to receive notification.
+- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push.
+- **UpdateHealthToolsPushCurrentResults** The results from the push request.
+- **UpdateHealthToolsPushCurrentStep** The current step for the push notification.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus
+
+This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
+- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
+- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push.
+- **UpdateHealthToolsPushCurrentResults** The results from the push request.
+- **UpdateHealthToolsPushCurrentStep** The current step for the push notification
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlobDocumentDetails
+
+The event indicates the details about the blob used for update health tools. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by the user.
+- **PackageVersion** The package version of the label.
+- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file.
+- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer.
+- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash.
+- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer.
+- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash.
+- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id.
+- **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin
+
+The event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** The global event counter counts the total events for the provider.
+- **PackageVersion** The version for the current package.
+- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
+
+This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** The package version of the label.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted
+
+This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of remediation.
### Microsoft.Windows.QualityUpdateAssistant.Applicability
@@ -6487,6 +7056,17 @@ The following fields are available:
## Surface events
+### Microsoft.Surface.Health.Binary.Prod.McuHealthLog
+
+This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly.
+
+The following fields are available:
+
+- **CUtility::GetTargetNameA(Target)** Sub component name.
+- **HealthLog** Health indicator log.
+- **healthLogSize** 4KB.
+- **productId** Identifier for product model.
+
### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly.
@@ -6501,19 +7081,6 @@ The following fields are available:
- **pszBatteryDataXml** Battery performance data.
- **szBatteryInfo** Battery performance data.
-
-### Microsoft.Surface.Health.Binary.Prod.McuHealthLog
-
-This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly.
-
-The following fields are available:
-
-- **CUtility::GetTargetNameA(Target)** Sub component name.
-- **HealthLog** Health indicator log.
-- **healthLogSize** 4KB.
-- **productId** Identifier for product model.
-
-
## System reset events
### Microsoft.Windows.SysReset.FlightUninstallCancel
@@ -6899,7 +7466,7 @@ The following fields are available:
- **ScenarioId** Indicates the update scenario.
- **SessionId** Unique value for each update attempt.
- **UpdateId** Unique ID for each update.
-- **Version** Version of update.
+- **Version** Version of update
### Update360Telemetry.UpdateAgentOneSettings
@@ -9032,6 +9599,7 @@ The following fields are available:
- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
- **InteractionCampaignID** The ID of the interaction campaign that was processed.
+- **LanguageCode** The language used to display the interaction campaign.
- **ResultId** The result of the evaluation/presentation.
- **WasCompleted** True if the interaction campaign is complete.
- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
@@ -9058,6 +9626,7 @@ This event is sent when RUXIM completes checking with OneSettings to retrieve an
The following fields are available:
+- **ETagValue** eTag for sync.
- **hrInitialize** Error, if any, that occurred while initializing OneSettings.
- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings.
@@ -9068,6 +9637,27 @@ This event is sent when RUXIM begins checking with OneSettings to retrieve any U
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHBeginPresentation
+
+This event is generated when RUXIM is about to present an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **InteractionCampaignID** GUID identifying interaction campaign being presented.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHEndPresentation
+
+This event is generated when Interaction Handler completes presenting an interaction campaign to the user. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hrPresentation** Error, if any, occurring during the presentation.
+- **InteractionCampaignID** GUID identifying the interaction campaign being presented.
+- **ResultId** Result generated by the presentation.
+- **WasCompleted** True if the interaction campaign is now considered complete.
+
+
### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -9112,384 +9702,6 @@ The following fields are available:
- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation.
- **Result** Overall result generated by the evaluation.
-### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked
-
-This event indicates that an update detection has occurred and the targeted install has been blocked. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** A correlation vector.
-- **ExpeditePolicyId** The policy id of the expedite request.
-- **ExpediteUpdaterOfferedUpdateId** An Update Id of the LCU expected to be expedited
-- **ExpediteUpdatesInProgress** A list of update IDs in progress.
-- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
-- **ExpediteUsoLastError** The last error returned by USO
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version of the label.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteCompleted
-
-This event indicates that the update has been completed. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** A correlation vector.
-- **ExpeditePolicyId** The policy Id of the expedite request.
-- **ExpediteUpdaterOfferedUpdateId** The Update Id of the LCU expected to be expedited.
-- **ExpediteUpdatesInProgress** The list of update IDs in progress.
-- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
-- **ExpediteUsoLastError** The last error returned by USO.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version of the label.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted
-
-This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **ExpeditePolicyId** The policy ID of the expedite request.
-- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
-- **ExpediteUpdatesInProgress** List of update IDs in progress.
-- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
-- **ExpediteUsoLastError** The last error returned by USO.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version label.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted
-
-This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** A correlation vector.
-- **ExpeditePolicyId** The policy Id of the expedite request.
-- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited.
-- **ExpediteUpdatesInProgress** A list of update IDs in progress.
-- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
-- **ExpediteUsoLastError** The last error returned by USO.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version label.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted
-
-This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **ExpeditePolicyId** The policy ID of the expedite request.
-- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
-- **ExpediteUpdatesInProgress** List of update IDs in progress.
-- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
-- **ExpediteUsoLastError** The last error returned by USO.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version label.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterAlreadyExpectedUbr
-
-This event indicates that the device is already on the expected UBR. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **ExpediteErrorBitMap** Bit map value for any error code.
-- **ExpeditePolicyId** The policy id of the expedite request.
-- **ExpediteResult** Boolean value for success or failure.
-- **ExpediteUpdaterCurrentUbr** The ubr of the device.
-- **ExpediteUpdaterExpectedUbr** The expected ubr of the device.
-- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited.
-- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version label.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr
-
-This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **ExpediteErrorBitMap** Bit map value for any error code.
-- **ExpeditePolicyId** The policy ID of the expedite request.
-- **ExpediteResult** Boolean value for success or failure.
-- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
-- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version label.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootComplete
-
-This event indicates that the expedite update is completed with reboot. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **ExpeditePolicyId** The policy id of the expedite request.
-- **ExpediteResult** Boolean value for success or failure.
-- **ExpediteUpdaterCurrentUbr** The ubr of the device.
-- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited.
-- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore.
-- **ExpediteUpdatesInProgress** Comma delimited list of updates in progress.
-- **ExpediteUsoCorrelationVector** The current USO correlation vector as surfaced from the USO store.
-- **ExpediteUsoLastError** The last error as surfaced from the USO store.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version label.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired
-
-This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **ExpeditePolicyId** The policy ID of the expedite request.
-- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
-- **ExpediteUpdatesInProgress** Comma delimited list of update IDs currently being offered.
-- **ExpediteUsoCorrelationVector** The correlation vector from the USO session.
-- **ExpediteUsoLastError** Last HResult from the current USO session.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
-- **PackageVersion** Current package version of UpdateHealthTools.
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanCompleted
-
-This event sends results of the expedite USO scan. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **ExpediteCbsServicingInProgressStatus** True if servicing is in progress in cbs for the device.
-- **ExpediteErrorBitMap** Bit map value for any error code.
-- **ExpeditePolicyId** The policy ID of the expedite request.
-- **ExpediteResult** Boolean value for success or failure.
-- **ExpediteScheduledTaskCreated** Indicates whether the scheduled task was created (true/false).
-- **ExpediteScheduledTaskHresult** HRESULT for scheduled task creation.
-- **ExpediteUpdaterCurrentUbr** The UBR of the device.
-- **ExpediteUpdaterExpectedUbr** The expected UBR of the device.
-- **ExpediteUpdaterMonitorResult** HRESULT of the USO monitoring.
-- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
-- **ExpediteUpdaterScanResult** HRESULT of the expedite USO scan.
-- **ExpediteUpdaterUsoResult** HRESULT of the USO initialization and resume API calls.
-- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
-- **ExpediteUsoLastError** The last error returned by USO.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version label.
-- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false).
-
-
-### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted
-
-This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **ExpediteErrorBitMap** Bit map value for any error code.
-- **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy.
-- **ExpeditePolicyId** The policy Id of the expedite request.
-- **ExpediteResult** Boolean value for success or failure.
-- **ExpediteUpdaterCurrentUbr** The UBR of the device.
-- **ExpediteUpdaterExpectedUbr** The expected UBR of the device.
-- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
-- **ExpediteUpdaterUsoIntiatedScan** True when USO scan has been called.
-- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
-- **ExpediteUsoLastError** The last error returned by USO.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version label.
-- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false).
-
-
-### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerEnd
-
-This event indicates that the unified installer has completed. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** The event counter for telemetry events on the device for currency tools.
-- **PackageVersion** The package version label for currency tools.
-- **UnifiedInstallerInstallResult** The final result code for the unified installer.
-- **UnifiedInstallerPlatformResult** The result code from determination of the platform type.
-- **UnifiedInstallerPlatformType** The enum indicating the platform type.
-
-
-### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerStart
-
-This event indicates that the installation has started for the unified installer. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** The correlation vector.
-- **GlobalEventCounter** Counts the events at the global level for telemetry.
-- **PackageVersion** The package version for currency tools.
-- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined.
-- **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy.
-- **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy.
-- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ.
-- **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined.
-- **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined.
-- **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU.
-- **UnifiedInstallerDeviceIsEducationSkuHresult** The result code from checking whether a device is Education SKU.
-- **UnifiedInstallerDeviceIsEnterpriseSku** Boolean indicating whether a device is Enterprise SKU.
-- **UnifiedInstallerDeviceIsEnterpriseSkuHresult** The result code from checking whether a device is Enterprise SKU.
-- **UnifiedInstallerDeviceIsHomeSku** Boolean indicating whether a device is Home SKU.
-- **UnifiedInstallerDeviceIsHomeSkuHresult** The result code from checking whether device is Home SKU.
-- **UnifiedInstallerDeviceIsMdmManaged** Boolean indicating whether a device is MDM managed.
-- **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed.
-- **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU.
-- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
-- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
-- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
-- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
-- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
-- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
-- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
-- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsBlobNotificationRetrieved
-
-This event is sent when a blob notification is received. The data collected with this event is used to help keep Windows up to date and secure.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Counts the number of events for this provider.
-- **PackageVersion** The package version of the label.
-- **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded
-
-This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
-- **PackageVersion** Current package version of remediation.
-- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise.
-- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed
-
-This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Telemetry event counter.
-- **PackageVersion** Version label of the package sending telemetry.
-- **UpdateHealthToolsEnterpriseActionResult** Result of running the tool expressed as an HRESULT.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationCompleted
-
-This event is received when a push notification has been completed by the UpdateHealthTools service. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
-- **PackageVersion** Current package version of UpdateHealthTools.
-- **UpdateHealthToolsEnterpriseActionResult** The HRESULT return by the enterprise action.
-- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationReceived
-
-This event is received when the UpdateHealthTools service receives a push notification. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
-- **PackageVersion** Current package version of UpdateHealthTools.
-- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
-- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
-- **UpdateHealthToolsPushCurrentChannel** The channel used to receive notification.
-- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push.
-- **UpdateHealthToolsPushCurrentResults** The results from the push request.
-- **UpdateHealthToolsPushCurrentStep** The current step for the push notification.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus
-
-This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
-- **PackageVersion** Current package version of UpdateHealthTools.
-- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
-- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
-- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push.
-- **UpdateHealthToolsPushCurrentResults** The results from the push request.
-- **UpdateHealthToolsPushCurrentStep** The current step for the push notification
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlobDocumentDetails
-
-The event indicates the details about the blob used for update health tools. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** A correlation vector.
-- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by the user.
-- **PackageVersion** The package version of the label.
-- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file.
-- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer.
-- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash.
-- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer.
-- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash.
-- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id.
-- **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin
-
-The event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** The global event counter counts the total events for the provider.
-- **PackageVersion** The version for the current package.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
-
-This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** A correlation vector.
-- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user.
-- **PackageVersion** The package version of the label.
-
-
-### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted
-
-This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
-- **PackageVersion** Current package version of remediation.
-
### wilActivity
@@ -9712,6 +9924,7 @@ This event is sent when the Update Reserve Manager clears one of the reserves. T
The following fields are available:
- **FinalReserveUsedSpace** The amount of used space for the reserve after it was cleared.
+- **Flags** The context of clearing the reserves.
- **InitialReserveUsedSpace** The amount of used space for the reserve before it was cleared.
- **ReserveId** The ID of the reserve that needs to be cleared.
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 826c5527fe..af05ed7135 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -1,6 +1,6 @@
---
title: Changes to Windows diagnostic data collection
-description: This article provides information on changes to Windows diagnostic data collection Windows 10.
+description: This article provides information on changes to Windows diagnostic data collection Windows 10 and Windows 11.
keywords: privacy, diagnostic data
ms.prod: w10
ms.mktglfcycl: manage
@@ -13,34 +13,32 @@ author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 07/21/2020
+ms.date: 10/04/2021
---
# Changes to Windows diagnostic data collection
**Applies to**
-- Windows 10, version 1903 and newer
-- The next version of Windows Server
+- Windows 11
+- Windows 10, version 1903 and later
+- Windows Server 2022
-Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we are moving our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
+Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we have moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:
- [Taxonomy changes](#taxonomy-changes)
- [Behavioral changes](#behavioral-changes)
-> [!NOTE]
-> You can test the behavioral changes now in Windows 10 Insider Preview build 19577 and later.
-
## Summary of changes
-In Windows 10, version 1903 and newer, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
+In Windows 10, version 1903 and later, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
-Additionally, in an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
+Additionally, starting in Windows 11 and Windows Server 2022, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
## Taxonomy changes
-Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes:
+Starting in Windows 10, version 1903 and later, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes:
- The **Basic** diagnostic data level is being labeled as **Required**.
- The **Full** diagnostic data level is being labeled as **Optional**.
@@ -50,9 +48,9 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
## Behavioral changes
-In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
+Starting in Windows 11 and Windows Server 2022, we’re simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change.
-Additionally, you will see the following policy changes in an upcoming release of Windows Holographic, version 21H1 (HoloLens 2), Windows Server 2022 and Windows 11:
+Additionally, you will see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2):
| Policy type | Current policy | Renamed policy |
| --- | --- | --- |
@@ -69,18 +67,7 @@ A final set of changes includes two new policies that can help you fine-tune dia
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection**
- MDM policy: System/LimitDiagnosticLogCollection
->[!Important]
->All the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.
-
-## Configure a Windows 11 device to limit crash dumps and logs
-
-With the Enhanced diagnostic data level being split out into new policies, we're providing additional controls to manage what types of crash dumps are collected and whether to send additional diagnostic logs. Here are some steps on how to configure them:
-
-1. Choose to send optional diagnostic data by setting one of the following policies:
- - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow Diagnostic Data**. Set the policy value to **Send optional diagnostic data**.
- - MDM: System/AllowTelemetry. Set the policy value to **3**.
-2. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection**
-3. Enable the following Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection**
+For more info, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
## Services that rely on Enhanced diagnostic data
@@ -93,12 +80,12 @@ The following provides information on the current configurations:
## New Windows diagnostic data processor configuration
-**Applies to**
-- Windows 10 Edu, Pro, Enterprise editions, version 1809 with July 2021 update and newer
+Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory joined devices. This configuration option is supported on the following versions of Windows:
-Enterprise customers will now have a new option for controlling their Windows diagnostic data for their Azure Active Directory joined devices.
+- Windows 11 Enterprise, Professional, and Education
+- Windows 10, Enterprise, Professional, and Education, version 1809 with at least the July 2021 update.
-Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows 10 operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.
+Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.
Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 25b389048a..c4cac4808b 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -1,6 +1,6 @@
---
-description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
-title: Configure Windows diagnostic data in your organization (Windows 10)
+description: Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization.
+title: Configure Windows diagnostic data in your organization (Windows 10 and Windows 11)
keywords: privacy
ms.prod: w10
ms.mktglfcycl: manage
@@ -13,38 +13,40 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 10/13/2020
+ms.date: 10/04/2021
---
# Configure Windows diagnostic data in your organization
**Applies to**
+- Windows 11 Enterprise
+- Windows 11 Education
+- Windows 11 Professional
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Professional
-- Windows Server 2016 and newer
+- Windows Server 2016 and later
+- Surface Hub
+- Hololens
-This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
-
->[!IMPORTANT]
->Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
+This topic describes the types of Windows diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
## Overview
Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customer’s needs.
-For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
+For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
### Diagnostic data gives users a voice
-Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
+Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
### _Improve app and driver quality_
Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers used on Windows. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
-For example, in an earlier version of Windows 10 there was a version of a video driver that was crashing on some devices, causing the device to restart. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+For example, in an earlier version of Windows there was a version of a video driver that was crashing on some devices, causing the device to restart. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### _Improve end-user productivity_
@@ -54,7 +56,7 @@ Windows diagnostic data also helps Microsoft better understand how customers use
- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
-- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
## How Microsoft handles diagnostic data
@@ -66,7 +68,7 @@ Depending on the diagnostic data settings on the device, diagnostic data can be
- Small payloads of structured information referred to as diagnostic data events, managed by the Connected User Experiences and Telemetry component.
- - Diagnostic logs for additional troubleshooting, also managed by the Connected User Experience and Telemetry component.
+ - Diagnostic logs for additional troubleshooting, also managed by the Connected User Experiences and Telemetry component.
- Crash reporting and crash dumps, managed by [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
@@ -78,7 +80,7 @@ All diagnostic data is encrypted using Transport Layer Security (TLS) and uses c
### Endpoints
-The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see [Manage connection endpoints for Windows 10 Enterprise, version 1903](manage-windows-1903-endpoints.md).
+The following table lists the endpoints related to how you can manage the collection and control of diagnostic data. For more information around the endpoints that are used to send data back to Microsoft, see the **Manage connection endpoints** section of the left-hand navigation menu.
| Windows service | Endpoint |
| - | - |
@@ -86,7 +88,7 @@ The following table lists the endpoints related to how you can manage the collec
| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com watson.microsoft.com umwatsonc.telemetry.microsoft.com umwatsonc.events.data.microsoft.com *-umwatsonc.events.data.microsoft.com ceuswatcab01.blob.core.windows.net ceuswatcab02.blob.core.windows.net eaus2watcab01.blob.core.windows.net eaus2watcab02.blob.core.windows.net weus2watcab01.blob.core.windows.net weus2watcab02.blob.core.windows.net |
|Authentication | login.live.com
IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com oca.microsoft.com kmwatsonc.telemetry.microsoft.com *-kmwatsonc.telemetry.microsoft.com |
-|Settings | settings-win.data.microsoft.com
IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data |
+|Settings | settings-win.data.microsoft.com
IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. |
### Data access
@@ -102,7 +104,7 @@ There are four diagnostic data collection settings. Each setting is described in
- Diagnostic data off (Security)
- Required diagnostic data (Basic)
-- Enhanced
+- Enhanced (This setting is only available on devices running Windows 10, Windows Server 2016, and Windows Server 2019.)
- Optional diagnostic data (Full)
Here’s a summary of the types of data that is included with each setting:
@@ -111,14 +113,14 @@ Here’s a summary of the types of data that is included with each setting:
| --- | --- | --- | --- | --- |
| **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.|
| **Crash Metadata** | N/A | Yes | Yes | Yes |
-| **Crash Dumps** | N/A | No | Triage dumps only For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full memory dumps For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). |
+| **Crash Dumps** | N/A | No | Triage dumps only For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full and triage memory dumps For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). |
| **Diagnostic logs** | N/A | No | No | Yes |
| **Data collection** | N/A | 100% | Sampling applies | Sampling applies |
### Diagnostic data off
-This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows 10 Enterprise, and Windows 10 Education. If you choose this setting, devices in your organization will still be secure.
+This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows Enterprise, and Windows Education editions. If you choose this setting, devices in your organization will still be secure.
>[!NOTE]
> If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@@ -127,7 +129,7 @@ This setting was previously labeled as **Security**. When you configure this set
Required diagnostic data, previously labeled as **Basic**, gathers a limited set of data that’s critical for understanding the device and its configuration. This data helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version.
-This is the default setting for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903.
+This is the default setting for current releases of Windows, Windows 10, version 1903.
Required diagnostic data includes:
@@ -157,10 +159,12 @@ Required diagnostic data includes:
### Enhanced diagnostic data
->[!NOTE]
->We’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. making changes to the enhanced diagnostic data level. For more info about this change, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
+In Windows 10 and Windows Server 2019, enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users.
-Enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
+>[!Important]
+>This diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. More information on these settings are available in the **Manage diagnostic data using Group Policy and MDM** section of this topic.
+
+When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
- Operating system events that help to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
@@ -187,7 +191,7 @@ Optional diagnostic data, previously labeled as **Full**, includes more detailed
>[!Note]
>Crash dumps collected in optional diagnostic data may unintentionally contain personal data, such as portions of memory from a document and a web page. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
-## Manage enterprise diagnostic data
+## Manage diagnostic data using Group Policy and MDM
Use the steps in this section to configure the diagnostic data settings for Windows and Windows Server in your organization.
@@ -214,16 +218,42 @@ You can use Group Policy to set your organization’s diagnostic data setting:
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
-2. Double-click **Allow Telemetry**.
+2. Double-click **Allow Telemetry** (or **Allow diagnostic data** on Windows 11 and Windows Server 2022).
> [!NOTE]
- > If devices in your organization are running Windows 10, 1803 and newer, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set.
+ > If devices in your organization are running Windows 10, 1803 and later, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set.
+
+3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
+
+
+### Use Group Policy to manage optional diagnostic data collection
+
+The following policy lets you limit the types of [crash dumps](/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+
+2. Double-click **Limit dump collection**.
+
+3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
+
+You can also limit the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+
+2. Double-click **Limit diagnostic log collection**.
3. In the **Options** box, choose the setting that you want to configure, and then click **OK**.
### Use MDM to manage diagnostic data collection
-Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
+Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the following MDM policies:
+
+ - System/AllowTelemetry
+ - System/LimitDumpCollection
+ - System/LimitDiagnosticLogCollection
+
+> [!NOTE]
+> The last two policies are only available on Windows 11 and Windows Server 2022.
## Enable Windows diagnostic data processor configuration
@@ -231,9 +261,15 @@ The Windows diagnostic data processor configuration enables you to be the contro
### Prerequisites
-- The device must have Windows 10 Pro, Education or Enterprise edition, version 1809 with July 2021 update or newer.
+- Use a supported version of Windows 10 or Windows 11
+- The following editions are supported:
+ - Enterprise
+ - Professional
+ - Education
- The device must be joined to Azure Active Directory.
+For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. See [Lifecycle Policy](/lifecycle/products/windows-10-enterprise-and-education)
+
The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable:
- v10c.events.data.microsoft.com
@@ -295,5 +331,3 @@ For more information about how to limit the diagnostic data to the minimum requi
## Change privacy settings on a single server
You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings).
-
-To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data).
\ No newline at end of file
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index dc9a127179..7818a1c9ef 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -1,5 +1,5 @@
---
-title: Diagnostic Data Viewer Overview (Windows 10)
+title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11)
description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device.
keywords: privacy
ms.prod: w10
@@ -21,9 +21,10 @@ ms.reviewer:
**Applies to**
-- Windows 10, version 1803 and newer
+- Windows 10, version 1803 and later and Windows 11
## Introduction
+
The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
## Install and Use the Diagnostic Data Viewer
@@ -31,9 +32,11 @@ The Diagnostic Data Viewer is a Windows app that lets you review the Windows dia
You must download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data.
### Turn on data viewing
+
Before you can use this tool for viewing Windows diagnostic data, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. Note that this setting does not affect your Office data viewing or history.
**To turn on data viewing**
+
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
@@ -41,21 +44,24 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
### Download the Diagnostic Data Viewer
+
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
> [!Important]
> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](./microsoft-diagnosticdataviewer.md).
### Start the Diagnostic Data Viewer
+
You can start this app from the **Settings** panel.
**To start the Diagnostic Data Viewer**
+
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
-OR-
-
+
Go to **Start** and search for _Diagnostic Data Viewer_.
3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
@@ -64,18 +70,19 @@ You can start this app from the **Settings** panel.
>Turning on data viewing can use up to 1GB (by default) of disk space on your system drive. We strongly recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article.
### Use the Diagnostic Data Viewer
+
The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data.
- **View your Windows diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
-
+
>[!Important]
>Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time.
-- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
+- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
Selecting an event opens the detailed JSON view, with the matching text highlighted.
@@ -83,31 +90,34 @@ The Diagnostic Data Viewer provides you with the following features to view and
- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
- To signify your contribution, you’ll see this icon () if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
+ To signify your contribution, you’ll see this icon () if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
- **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**.
-
+
>[!Important]
>All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments.
- **View a summary of the data you've shared with us over time.** Available for users on build 19H1+, 'About my data' in Diagnostic Data Viewer lets you see an overview of the Windows data you've shared with Microsoft.
Through this feature, you can checkout how much data you send on average each day, the breakdown of your data by category, the top components and services that have sent data, and more.
-
+
>[!Important]
>This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer.
## View Office Diagnostic Data
+
By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830).
## Turn off data viewing
+
When you're done reviewing your diagnostic data, you should turn of data viewing. This will also remove your Windows data history. Note that this setting does not affect your Office data viewing or history.
**To turn off data viewing**
+
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
@@ -115,23 +125,25 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
## Modifying the size of your data history
-By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first.
+
+By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first.
> [!Important]
> Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified.
**Modify the size of your data history**
-
+
To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached.
> [!Important]
> Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine.
## View additional diagnostic data in the View problem reports tool
-Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer.
-This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting.
-We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
+Available on Windows 10 1809 and higher and Windows 11, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer.
+
+This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting.
+We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
You can also use the Windows Error Reporting tool available in the Control Panel.
@@ -139,7 +151,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel
Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.
-
+
**To view your Windows Error Reporting diagnostic data using the Control Panel**
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
new file mode 100644
index 0000000000..5ad54e7a9e
--- /dev/null
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -0,0 +1,122 @@
+---
+title: Essential services and connected experiences for Windows
+description: Explains what the essential services and connected experiences are for Windows
+keywords: privacy, manage connections to Microsoft
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: siosulli
+ms.author: dansimp
+manager: dansimp
+ms.date:
+---
+
+# Essential services and connected experiences for Windows
+
+**Applies to**
+
+- Windows 11
+- Windows 10, version 1903 and later
+
+Windows includes features that connect to the internet to provide enhanced experiences and additional service-based capabilities. These features are called connected experiences. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure.
+
+When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experience. This data is crucial because this information enables us to deliver these cloud-based connected experiences. We refer to this data as required service data. Required service data can include information related to the operation of the connected experience that is needed to keep the underlying service secure, up to date, and performing as expected. Required service data can also include information needed by a connected experience to perform its task, such as configuration information about Windows.
+
+The connected experiences you choose to use in Windows will impact what required service data is sent to us.
+
+Required service data is also collected and sent to Microsoft for essential services. Essential services are used to keep the product **secure, up to date, performing as expected** or are **integral** to how the product works. For example, the licensing service that confirms that you’re properly licensed to use Windows.
+
+Although enterprise admins can turn off most essential services, we recommend, where applicable, you consider hosting the services on-premises and carefully assess the impact of turning off remaining services. The following list describes the essential services and connected experiences that are available to you in Windows and provides links to further information about each one.
+
+> [!NOTE]
+> The information in this article describes the most common connected experiences and essential services. We will continue to update our list of connected experiences over time as Windows evolves.
+
+## Windows essential services
+
+| **Essential service** | **Description** |
+| --- | --- |
+|Authentication|The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in. To turn it off, see [Microsoft Account](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#12-microsoft-account).|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism. If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. To turn it off, see [Automatic Root Certificates Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update).|
+| Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working. To turn it off, see [Services Configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).|
+| Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications. To turn off licensing services, see [License Manager](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).|
+| Networking | Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows devices will lose network connectivity. To turn off Network Adapters, see [Disable-NetAdapter](/powershell/module/netadapter/disable-netadapter).|
+| Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed. To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).|
+| Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality will not be available to Microsoft. To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).|
+| Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats. Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date. To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
+| Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps. To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
+
+## Windows connected experiences
+
+| **Connected experience** | **Description** |
+| --- | --- |
+|Activity History|Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user. Synchronization across devices only works when a user signs in with the same account. To turn it off, see [Activity History](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#1822-activity-history). |
+|Cloud Clipboard|Cloud Clipboard enables users to copy images and text across all Windows devices when they sign in with the same account. Users can paste from their clipboard history and also pin items. To turn it off, see [Cloud Clipboard](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#30-cloud-clipboard). |
+| Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start. To turn it off, see [Date and Time](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). |
+| Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date. If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network. To turn it off, see [Delivery Optimization](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). |
+| Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11. To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinpu.md#textinput-touchkeyboardemojibuttonavailability). |
+| Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab. To turn it off, see [Find My Device](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). |
+| Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely. To turn it off, see [Location services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). |
+| Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats. To turn it off, see [Microsoft Defender Antivirus](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender). |
+| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you cannot block a website or warn users they may be accessing a malicious site. To turn it off, see [Microsoft Defender SmartScreen](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). |
+| OneDrive | OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere. To turn off OneDrive, see [OneDrive](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#16-onedrive). |
+| Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience. To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). |
+| Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology. To turn it off, see [Speech recognition](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). |
+| Windows backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account. To turn it off, see [Sync your settings](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). |
+| Windows Dashboard Widgets | Windows Dashboard widget is a dynamic view that shows users personalized content like news, weather, their calendar and to-do list, and recent photos. It provides a quick glance view, which allows users to be productive without needing to go to multiple apps or websites. This connected experience is new in Windows 11. |
+| Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://insider.windows.com/). To turn it off, see [Windows Insider Program](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). |
+| Windows Search | Windows Search lets users use the search box on the taskbar to find what they are looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet. To turn it off, see [Windows Search](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). |
+| Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background. Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background. To turn it off, see [Windows Spotlight](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight). |
+
+## Microsoft Edge essential services and connected experiences
+
+Windows ships with Microsoft Edge and Internet Explorer on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience. You can find details on all of Microsoft Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge feature, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge).
+
+## IE essential services and connected experiences
+
+Internet Explorer shares many of the Windows essential services listed above. The following table provides more details on the essential services and connected experiences specific to Internet Explorer.
+
+> [!NOTE]
+> Apart from ActiveX Filtering, which is an essential service, all other features listed below are connected experiences. To turn off specific connected experiences, see [Internet Explorer](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#8-internet-explorer).
+
+| **Connected experience** | **Description** |
+| --- | --- |
+|ActiveX Filtering|ActiveX controls are small apps that allow websites to provide content such as videos and games, and let users interact with controls like toolbars and stock tickers. However, these apps can sometimes malfunction, and in some cases, they might be used to collect information from user devices, install software without a user's agreement, or be used to control a device remotely without a user's permission. ActiveX Filtering in Internet Explorer prevents sites from installing and using these apps which, can help keep users safer as they browse, but it can also affect the user experience of certain sites as interactive content might not work when ActiveX Filtering is on. Note: To further enhance security, Internet Explorer also allows you to block out-of-date ActiveX controls. |
+|Suggested Sites|Suggested Sites is an online experience that recommends websites, images, or videos a user might be interested in. When Suggested Sites is turned on, a user’s web browsing history is periodically sent to Microsoft.|
+| Address Bar and Search suggestions | With search suggestions enabled, users will be offered suggested search terms as they type in the Address Bar. As users type information, it will be sent to the default search provider. |
+| Auto-complete feature for web addresses | The auto-complete feature suggests possible matches when users are typing web addresses in the browser address bar. |
+| Compatibility logging | This feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It is disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed. |
+| Compatibility View | Compatibility View helps make websites designed for older browsers look better when viewed in Internet Explorer. The compatibility view setting allows you to choose whether an employee can fix website display problems they encounter while browsing. |
+| Flip ahead | Flip ahead enables users to flip through web content quickly by swiping across the page or by clicking forward. When flip ahead is turned on, web browsing history is periodically sent to Microsoft. If you turn off this setting, users will no longer be able swipe across a screen or click forward to go to the next pre-loaded page of a website. |
+| Web Slices | A Web Slice enables users to subscribe to and automatically receive updates to content directly within a web page. Disabling the RSS Feeds setting will turn off background synchronization for feeds and Web Slices. |
+| Accelerators | Accelerators are menu options in Internet Explorer that help automate common browser-related tasks. In Internet Explorer, when you right-click selected text, Accelerators appear in the list of available options. For example, if you select a word, you can use the "Translate with Bing" Accelerator to obtain a translation of that word. |
+| Pinning websites to Start | When a user pins a website to the Start menu, it displays as a tile similar to the way apps are displayed. Like Microsoft Store apps, website tiles might display updates if the website has been designed to do so. For example, an online email website might send updates to the tile indicating how many new messages a user has. |
+
+## Related links
+
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Connected Experiences in Office](/deployoffice/privacy/connected-experiences.md)
+- [Essential Services in Office](/deployoffice/privacy/essential-services.md)
+
+To view endpoints for Windows Enterprise, see:
+
+- [Manage connection endpoints for Windows 11](manage-windows-11-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+
+To view endpoints for non-Enterprise Windows editions, see:
+
+- [Windows 11 connection endpoints for non-Enterprise editions](windows-11-endpoints-non-enterprise-editions.md)
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
+- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md)
+- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
+- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
+- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
\ No newline at end of file
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index 2fd2b1fc97..63d295f52a 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -14,7 +14,7 @@ metadata:
author: dansimp
ms.author: dansimp
manager: dansimp
- ms.date: 07/21/2020 #Required; mm/dd/yyyy format.
+ ms.date: 09/08/2021 #Required; mm/dd/yyyy format.
ms.localizationpriority: high
# highlightedContent section (optional)
@@ -37,25 +37,25 @@ highlightedContent:
# productDirectory section (optional)
productDirectory:
- title: Understand Windows diagnostic data in Windows 10
- summary: For the latest Windows 10 version, learn more about what Windows diagnostic data is collected at various diagnostics levels.
+ title: Understand Windows diagnostic data in Windows 10 and Windows 11
+ summary: For the latest Windows 10 version and Windows 11, learn more about what Windows diagnostic data is collected under the different settings.
items:
# Card
- - title: Required diagnostic data
+ - title: Windows 11 required diagnostic data
# imageSrc should be square in ratio with no whitespace
imageSrc: https://docs.microsoft.com/media/common/i_extend.svg
summary: Learn more about basic Windows diagnostic data events and fields collected.
- url: required-windows-diagnostic-data-events-and-fields-2004.md
+ url: required-windows-11-diagnostic-events-and-fields.md
+ # Card
+ - title: Windows 10 required diagnostic data
+ imageSrc: https://docs.microsoft.com/media/common/i_build.svg
+ summary: See what changes Windows is making to align to the new data collection taxonomy
+ url: required-windows-diagnostic-data-events-and-fields-2004.md
# Card
- title: Optional diagnostic data
imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg
summary: Get examples of the types of optional diagnostic data collected from Windows
url: windows-diagnostic-data.md
- # Card
- - title: Changes to Windows diagnostic data collection
- imageSrc: https://docs.microsoft.com/media/common/i_build.svg
- summary: See what changes Windows is making to align to the new data collection taxonomy
- url: changes-to-windows-diagnostic-data-collection.md
# conceptualContent section (optional)
# conceptualContent:
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 27e6a0cc39..482413653a 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -14,19 +14,20 @@ manager: robsize
ms.date: 12/1/2020
---
-# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
+# Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server
**Applies to**
-- Windows 10 Enterprise 1903 version and newer
+- Windows 11
+- Windows 10 Enterprise 1903 version and newer
-This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
+This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
>[!IMPORTANT]
>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
-> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
+> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 and Windows 11 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 and Windows 11 devices.
>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
@@ -36,16 +37,16 @@ This article describes the network connections that Windows 10 components make t
For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](/intune/).
-For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
-## Settings for Windows 10 Enterprise edition 1903 and newer
+## Settings for Windows 10 Enterprise edition 1903 and later and Windows 11
The following table lists management options for each setting.
-For Windows 10, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
+For Windows 10 and Windows 11, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
1. **Automatic Root Certificates Update**
1. MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist since it would prevent the operation and management of MDM management of devices.
@@ -104,7 +105,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](/wi
1. **OneDrive**
1. MDM Policy: [DisableOneDriveFileSync](/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
- 1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
+ 1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 or Windows 11 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: **./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn**, Data type: **String**, Value: **\**
@@ -135,33 +136,33 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](/wi
1. App Diagnostics - [Privacy/LetAppsGetDiagnosticInfo](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo). Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)**
1. **Software Protection Platform** - [Licensing/DisallowKMSClientOnlineAVSValidation](/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation). Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)**
1. **Storage Health** - [Storage/AllowDiskHealthModelUpdates](/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates). Allows disk health model updates. **Set to 0 (zero)**
-1. **Sync your settings** - [Experience/AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings). Control whether your settings are synchronized. **Set to 0 (zero)**
-1. **Teredo** - No MDM needed. Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM.
-1. **Wi-Fi Sense** - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer.
+1. **Sync your settings** - [Experience/AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings). Control whether your settings are synchronized. **Set to 0 (zero)**
+1. **Teredo** - No MDM needed. Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM.
+1. **Wi-Fi Sense** - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and later or Windows 11.
1. **Windows Defender**
- 1. [Defender/AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
+ 1. [Defender/AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection). Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
1. [Defender/SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). Stop sending file samples back to Microsoft. **Set to 2 (two)**
1. [Defender/EnableSmartScreenInShell](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings#mdm-settings). Turns off SmartScreen in Windows for app and file execution. **Set to 0 (zero)**
1. Windows Defender SmartScreen - [Browser/AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender SmartScreen. **Set to 0 (zero)**
- 1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
+ 1. Windows Defender SmartScreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)**
1. [Defender/SignatureUpdateFallbackOrder](). Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: **./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder**, Data type: **String**, Value: **FileShares**
1. **Windows Spotlight** - [Experience/AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight). Disable Windows Spotlight. **Set to 0 (zero)**
1. **Microsoft Store**
1. [ApplicationManagement/DisableStoreOriginatedApps](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps). Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
1. [ApplicationManagement/AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate). Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
-1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
+1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
1. **Windows Update Delivery Optimization** - The following Delivery Optimization MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
1. [DeliveryOptimization/DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Let’s you choose where Delivery Optimization gets or sends updates and apps. **Set to 99 (ninety-nine)**
1. **Windows Update**
1. [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Control automatic updates. **Set to 5 (five)**
1. Windows Update Allow Update Service - [Update/AllowUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**
- 1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
+ 1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. **\\$CmdID$\\\chr\text/plain\\ \./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl\\http://abcd-srv:8530\\**
### Allowed traffic for Microsoft Intune / MDM configurations
-|**Allowed traffic endpoints** |
+|**Allowed traffic endpoints**
| --- |
|activation-v2.sls.microsoft.com/*|
|cdn.onenote.net|
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f1f0d9469a..aef42b510b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,5 +1,5 @@
---
-title: Manage connections from Windows 10 operating system components to Microsoft services
+title: Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services
description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
ms.reviewer:
@@ -17,17 +17,18 @@ ms.topic: article
ms.date: 5/21/2021
---
-# Manage connections from Windows 10 operating system components to Microsoft services
+# Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services
**Applies to**
-- Windows 10 Enterprise, version 1607 and newer
+- Windows 11 Enterprise
+- Windows 10 Enterprise, version 1607 and later
- Windows Server 2016
- Windows Server 2019
-This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
+This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
+Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
> [!IMPORTANT]
> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
@@ -42,7 +43,7 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
> - During update or upgrade of Windows, egress traffic may occur.
-To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
+To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
@@ -50,9 +51,9 @@ We are always striving to improve our documentation and welcome your feedback. Y
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections
-### Settings for Windows 10 Enterprise edition
+### Settings for Windows 10 and Windows 11 Enterprise edition
-The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
+The following table lists management options for each setting, For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11.
| Setting | UI | Group Policy | Registry |
@@ -74,7 +75,7 @@ The following table lists management options for each setting, beginning with Wi
| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
-| [18. Settings > Privacy](#bkmk-settingssection) | | | |
+| [18. Settings > Privacy & security](#bkmk-settingssection) | | | |
| [18.1 General](#bkmk-general) |  |  |  |
| [18.2 Location](#bkmk-priv-location) |  |  |  |
| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
@@ -130,7 +131,7 @@ See the following table for a summary of the management settings for Windows Ser
| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
| [16. OneDrive](#bkmk-onedrive) | |  |  |
-| [18. Settings > Privacy](#bkmk-settingssection) | | | |
+| [18. Settings > Privacy & security](#bkmk-settingssection) | | | |
| [19. Software Protection Platform](#bkmk-spp) | |  |  |
| [22. Teredo](#bkmk-teredo) | |  |  |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
@@ -186,7 +187,7 @@ See the following table for a summary of the management settings for Windows Ser
| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
-| [18. Settings > Privacy](#bkmk-settingssection) | | | |
+| [18. Settings > Privacy & security](#bkmk-settingssection) | | | |
| [18.1 General](#bkmk-general) |  |  |  |
| [18.2 Location](#bkmk-priv-location) |  |  |  |
| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
@@ -237,7 +238,7 @@ Although not recommended, you can turn off Automatic Root Certificates Update, w
> [!CAUTION]
> By not automatically downloading the root certificates the device may not be able to connect to some websites.
-For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
+For Windows 10, Windows Server 2016 with Desktop Experience, Windows Server 2016 Server Core, and Windows 11:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
@@ -293,7 +294,7 @@ You can also apply the Group Policies using the following registry keys:
> [!IMPORTANT]
-> Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
+> Using the Group Policy editor these steps are required for all supported versions of Windows 10 and Windows 11, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
@@ -389,21 +390,21 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later:
### 7. Insider Preview builds
-The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. This setting stops communication with the Windows Insider Preview service that checks for new builds.
-Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016.
+The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10 and Windows 11. This setting stops communication with the Windows Insider Preview service that checks for new builds.
+Windows Insider Preview builds only apply to Windows 10 and Windows 11 and are not available for Windows Server 2016.
> [!NOTE]
> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Optional (Full)**. Although the diagnostic data level may initially appear as **Required (Basic)**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Optional (Full)**.
-To turn off Insider Preview builds for a released version of Windows 10:
+To turn off Insider Preview builds for a released version of Windows 10 or Windows 11:
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
-To turn off Insider Preview builds for Windows 10:
+To turn off Insider Preview builds for Windows 10 and Windows 11:
> [!NOTE]
-> If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
+> If you're running a preview version of Windows 10 or Windows 11, you must roll back to a released version before you can turn off Insider Preview builds.
- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**.
@@ -529,7 +530,7 @@ To turn off Live Tiles:
- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)**
-In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
+In Windows 10 or Windows 11 Mobile, you must also unpin all tiles that are pinned to Start.
### 11. Mail synchronization
@@ -548,7 +549,7 @@ To turn off the Windows Mail app:
### 12. Microsoft Account
-Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
+Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher and Windows 11. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
To disable the Microsoft Account Sign-In Assistant:
@@ -657,7 +658,7 @@ You can turn off the ability to download and update offline maps.
-and-
-- In Windows 10, version 1607 and later, **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
+- In Windows 10, version 1607 and later, and Windows 11 **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
-or-
@@ -805,9 +806,9 @@ To remove the Sticky notes app:
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage**
-### 18. Settings > Privacy
+### 18. Settings > Privacy & security
-Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
+Use Settings > Privacy & security to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
- [18.1 General](#bkmk-general)
@@ -1268,7 +1269,7 @@ In the **Other Devices** area, you can choose whether devices that aren't paired
To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
-- Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
+- Turn off the feature in the UI by going to Settings > Privacy & security > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
-or-
@@ -1342,7 +1343,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- Create a REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a **value of 0**.
> [!NOTE]
-> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
+> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 and Windows 11 Enterprise edition.
To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
@@ -1380,7 +1381,7 @@ To turn off **Let apps run in the background**:
-or-
-- **Enable** the Group Policy (only applicable for Windows 10 version 1703 and above): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** and set the **Select a setting** box to **Force Deny**.
+- **Enable** the Group Policy (only applicable for Windows 10 version 1703 and above and Windows 11): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** and set the **Select a setting** box to **Force Deny**.
-or-
@@ -1527,7 +1528,7 @@ To turn this Off in the UI:
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
-**For Windows 10:**
+**For Windows 10 and Windows 11:**
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
@@ -1555,7 +1556,7 @@ Enterprise customers can manage their Windows activation status with volume lice
Enterprise customers can manage updates to the Disk Failure Prediction Model.
-For Windows 10:
+For Windows 10 and Windows 11:
- **Disable** this Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model**
-or-
@@ -1723,12 +1724,12 @@ In Group Policy, configure:
Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or Group Policy.
-If you're running Windows 10, version 1607 or later, you need to:
+If you're running Windows 10, version 1607 or later, or Windows 11, you need to:
- **Enable** the following Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
> [!NOTE]
- > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
+ > This must be done within 15 minutes after Windows 10 or Windows 11 is installed. Alternatively, you can create an image with this setting.
-or-
@@ -1840,11 +1841,11 @@ You can turn off apps for websites, preventing customers who visit websites that
Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
-By default, PCs running Windows 10 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+By default, PCs running Windows 10 or Windows 11 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization.
-In Windows 10 version 1607 and above you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below.
+In Windows 10, version 1607 and above, and Windows 11 you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below.
### 28.1 Settings > Update & security
@@ -1933,7 +1934,7 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
### 30. Cloud Clipboard
-Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 devices.
+Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 and Windows 11 devices.
Most restricted value is 0.
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
new file mode 100644
index 0000000000..718e6bdc07
--- /dev/null
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -0,0 +1,159 @@
+---
+title: Connection endpoints for Windows 11 Enterprise
+description: Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11.
+keywords: privacy, manage connections to Microsoft, Windows 11
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: robsize
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 10/04/2021
+---
+
+# Manage connection endpoints for Windows 11 Enterprise
+
+**Applies to**
+
+- Windows 11 Enterprise
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
+
+The following methodology was used to derive these network endpoints:
+
+1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+
+## Windows 11 Enterprise connection endpoints
+
+|Area|Description|Protocol|Destination|
+|----------------|----------|----------|------------|
+|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
+|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
+||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
+|||TLSv1.2|I-ring.msedge.net|
+|||HTTPS|s-ring.msedge.net|
+|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
+|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
+|||HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
+|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
+|||HTTPS|fs.microsoft.com|
+|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
+|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
+|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
+||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
+||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
+|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
+||This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires this endpoint to contact external websites.|HTTPS|iecvlist.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTP|share.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
+||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|www.office.com|
+|||HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS|officehomeblobs.blob.core.windows.net|
+|||HTTPS|self.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
+|||TLSv1.2/HTTPS/HTTP|g.live.com|
+|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
+|||HTTPS| logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
+|||HTTPS|settings.data.microsoft.com|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Microsoft Defender Antivirus|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+|||HTTPS/TLSv1.2|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
+|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
+|||HTTPS|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||HTTP|emdl.ws.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+|||HTTP|*.windowsupdate.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|dlassets-ssl.xboxlive.com|
+
+
+## Other Windows 10 editions
+
+To view endpoints for other versions of Windows 10 Enterprise, see:
+
+- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
+- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
+- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
+- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
+- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
new file mode 100644
index 0000000000..427beac9b9
--- /dev/null
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -0,0 +1,157 @@
+---
+title: Connection endpoints for Windows 10 Enterprise, version 21H1
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H1.
+keywords: privacy, manage connections to Microsoft, Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: robsize
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 10/04/2021
+---
+
+# Manage connection endpoints for Windows 10 Enterprise, version 21H1
+
+**Applies to**
+
+- Windows 10 Enterprise, version 21H1
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
+
+The following methodology was used to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 21H1 Enterprise connection endpoints
+
+|Area|Description|Protocol|Destination|
+|----------------|----------|----------|------------|
+|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
+|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
+||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
+|||TLSv1.2|I-ring.msedge.net|
+|||HTTPS|s-ring.msedge.net|
+|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
+|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
+|||HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
+|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
+|||HTTPS|fs.microsoft.com|
+|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
+|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
+|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
+||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
+||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
+|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
+||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
+|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTP|share.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
+||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|www.office.com|
+|||HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS|officehomeblobs.blob.core.windows.net|
+|||HTTPS|self.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
+|||TLSv1.2/HTTPS/HTTP|g.live.com|
+|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
+|||HTTPS| logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
+|||HTTPS|settings.data.microsoft.com|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+|||HTTPS/TLSv1.2|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
+|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
+|||HTTPS|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||HTTP|emdl.ws.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+|||HTTP|*.windowsupdate.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|dlassets-ssl.xboxlive.com|
+
+
+## Other Windows 10 editions
+
+To view endpoints for other versions of Windows 10 Enterprise, see:
+
+- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+
+- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
+- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
+- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
+- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
new file mode 100644
index 0000000000..c6578dcc77
--- /dev/null
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -0,0 +1,157 @@
+---
+title: Connection endpoints for Windows 10 Enterprise, version 21H2
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2.
+keywords: privacy, manage connections to Microsoft, Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: robsize
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 10/04/2021
+---
+
+# Manage connection endpoints for Windows 10 Enterprise, version 21H2
+
+**Applies to**
+
+- Windows 10 Enterprise, version 21H2
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
+
+The following methodology was used to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 21H2 Enterprise connection endpoints
+
+|Area|Description|Protocol|Destination|
+|----------------|----------|----------|------------|
+|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
+|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
+||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
+|||TLSv1.2|I-ring.msedge.net|
+|||HTTPS|s-ring.msedge.net|
+|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
+|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
+|||HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
+|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
+|||HTTPS|fs.microsoft.com|
+|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
+|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
+|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
+||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
+||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
+|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
+||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
+|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTP|share.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
+||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|www.office.com|
+|||HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS|officehomeblobs.blob.core.windows.net|
+|||HTTPS|self.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
+|||TLSv1.2/HTTPS/HTTP|g.live.com|
+|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
+|||HTTPS| logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
+|||HTTPS|settings.data.microsoft.com|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+|||HTTPS/TLSv1.2|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
+|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
+|||HTTPS|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||HTTP|emdl.ws.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+|||HTTP|*.windowsupdate.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|dlassets-ssl.xboxlive.com|
+
+
+## Other Windows 10 editions
+
+To view endpoints for other versions of Windows 10 Enterprise, see:
+
+- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+
+- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
+- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
+- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
+- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
new file mode 100644
index 0000000000..728704a57e
--- /dev/null
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -0,0 +1,8338 @@
+---
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+title: Required Windows 11 diagnostic events and fields
+keywords: privacy, telemetry
+ms.prod: w11
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: article
+audience: ITPro
+ms.date: 10/04/2021
+---
+
+
+# Required Windows 11 diagnostic events and fields
+
+> [!IMPORTANT]
+> Windows is moving to classifying the data collected from customer’s devices as either Required or Optional.
+
+
+ **Applies to**
+
+- Windows 11
+
+
+Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
+
+Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
+- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
+- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+
+
+
+
+## AppPlatform events
+
+### AppPlatform.InstallActivity
+
+This event is required to track health of the install pipeline on the console. It tracks the install, the type of install, and the error codes hit during the install. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BuildId** The unique identifier for this build.
+- **BuildVer** The build number for the set of binaries being installed.
+- **ClientAppId** Represents an optional identifier for the client application or service that initiated the install.
+- **ContentId** The Content ID of the package. Key for content updates.
+- **ContentType** The type of content being installed, mapped from XVD_CONTENT_TYPE.
+- **Cv** The correlation vector for this install or action. If this is the Cv to a specific action, the RelatedCv field will contain the Cv for the install.
+- **DestinationHardwareID** The hardware ID of the destination device, if it is external storage. Empty if not an external storage device.
+- **DestinationPath** The path to the destination we are installing to.
+- **DownloadSize** The size in bytes needed to download the package.
+- **ErrorText** Optional text describing any errors.
+- **InstallationActionId** The type of action ( 0 - Unknown, 1 - Install Started, 2 - Install Paused, 3 - Install Resumed, 4 - Installation Ready to Play, 5 - Change Source (Merged Install), 6 - Install Error, 7 - Install Complete, 8 - Install Aborted, 9 - Change Source (Auto Select), 10 - Change Source (Apply Update))
+- **InstallationErrorSource** The source of the error: 0 - None, 1 - Optical Drive, 2 - Network, 3 - Local, 4 - Destination, 5 - Licensing, 6 - Registration, 7 - Other
+- **InstallationSessionId** The unique Identifier for the installation session of this install. Goes from ‘Start’ to ‘End’ and all chunks/points in between.
+- **InstallationStageId** The stage of install ( 0 - Unknown, 1 - Package, 2 - Pls )
+- **InstallationStatus** HRESULT of the installation. Should be null except for the end or error events.
+- **InstallationTypeId** The type of install ( 0 - Unknown, 1 - Network, 2 - Disc, 3 - Hybrid, 4 - Update, 5 - Move, 6 - Copy ).
+- **OriginalStatus** The untransformed error code. The transformed, public value is stored in InstallationStatus.
+- **PackageSize** The size in bytes of the package.
+- **PackageSpecifiers** The map of Intelligent Delivery region specifiers present in the installing package.
+- **PlanId** The ID of the streaming plan being used to install the content.
+- **ProductId** The product ID of the application associated with this event.
+- **RelatedCv** The related correlation vector. This optional value contains the correlation vector for this install if the Cv value is representing an actiuon tracked by a correlation vector.
+- **RequestSpecifiers** The map of Intelligent Delivery region specifiers requested by the system/user/title as a part of the install activity.
+- **SourceHardwareID** The hardware ID of the source device, if it is external storage. Empty if not an external storage device.
+- **SourcePath** The source path we are installing from. May be a CDN (Content Delivery Network) or a local disk drive.
+- **TotalPercentComplete** The percent of install that is complete.
+- **XvddType** The type of the streaming operation as determined by the XVDD driver.
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_21H1** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_21H1** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_21H1** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_21H1** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_21H1** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_21H1** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemBios_RS3** The total number of objects of this type present on this device.
+- **DecisionTest_19H1** The total number of objects of this type present on this device.
+- **DecisionTest_21H1** The total number of objects of this type present on this device.
+- **DecisionTest_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionTest_RS2** The total number of objects of this type present on this device.
+- **DecisionTest_RS3** The total number of objects of this type present on this device.
+- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
+- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
+- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventoryTest** The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
+- **PCFP** The count of the number of this particular object type present on this device.
+- **SystemMemory** The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
+- **SystemProcessorNx** The total number of objects of this type present on this device.
+- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
+- **SystemProcessorSse2** The total number of objects of this type present on this device.
+- **SystemTouch** The count of the number of this particular object type present on this device.
+- **SystemWim** The total number of objects of this type present on this device.
+- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
+- **SystemWlan** The total number of objects of this type present on this device.
+- **Wmdrm_19H1** The count of the number of this particular object type present on this device.
+- **Wmdrm_21H1** The total number of objects of this type present on this device.
+- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device.
+- **Wmdrm_RS2** The total number of objects of this type present on this device.
+- **Wmdrm_RS3** The total number of objects of this type present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
+
+This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
+- **CompatModelIndex** The compatibility prediction for this file.
+- **HasCitData** Indicates whether the file is present in CIT data.
+- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv** Is the file an anti-virus reporting EXE?
+- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
+- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **ActiveNetworkConnection** Indicates whether the device is an active network device.
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **IsBootCritical** Indicates whether the device boot is critical.
+- **SdbEntries** Deprecated in RS3.
+- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
+- **SdbEntries** Deprecated in RS3.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events has completed being sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
+
+This event sends compatibility decision data about a file to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
+- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
+- **DisplayGenericMessage** Will be a generic message be shown for this file?
+- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file.
+- **HardBlock** This file is blocked in the SDB.
+- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
+- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
+- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
+- **NeedsDismissAction** Will the file cause an action that can be dismissed?
+- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
+- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade?
+- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app.
+- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade.
+- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB,
+- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
+- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SoftBlock** The file is softblocked in the SDB and has a warning.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent. This event is used to make compatibility decisions about a file to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
+- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
+- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
+- **BlockingDevice** Is this PNP device blocking upgrade?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
+- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
+- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device.
+- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event Indicates that the DecisionDevicePnp object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent and helps to keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package.
+- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block?
+- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage** Will a generic message be shown for this block?
+- **NeedsDismissAction** Will the file cause an action that can be dismissed?
+- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
+- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks.
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse** Is Windows Media Center actively being used?
+- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
+
+This event indicates that the DecisionMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd
+
+This event sends true/false compatibility decision data about the S mode state. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Appraiser decision about eligibility to upgrade.
+- **HostOsSku** The SKU of the Host OS.
+- **LockdownMode** S mode lockdown mode.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSModeStateRemove
+
+This event indicates that the DecisionTpmVersion object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSModeStateStartSync
+
+The DecisionSModeStateStartSync event indicates that a new set of DecisionSModeStateAdd events will be sent. This event is used to make compatibility decisions about the S mode state. Microsoft uses this information to understand and address problems regarding the S mode state for computers receiving updates. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
+
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device blocked from upgrade due to a BIOS block?
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios.
+- **HasBiosBlock** Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeAdd
+
+This event indicates that this object type was added. This data refers to the Disk size in the device. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Blocking** Appraiser decision during evaluation of hardware requirements during OS upgrade.
+- **TotalSize** Total disk size in Mb.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeRemove
+
+This event indicates that the DecisionSystemDiskSize object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeStartSync
+
+Start sync event for physical disk size data. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryAdd
+
+This event sends compatibility decision data about the system memory to help keep Windows up to date. Microsoft uses this information to understand and address problems regarding system memory for computers receiving updates.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Blocking** Blocking information.
+- **ramKB** Memory information in KB.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryRemove
+
+This event indicates that the DecisionSystemMemory object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync
+
+The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd
+
+This data attribute refers to the number of Cores a CPU supports. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Blocking** The Appraisal decision about eligibility to upgrade.
+- **CpuCores** Number of CPU Cores.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresRemove
+
+This event indicates that the DecisionSystemProcessorCpuCores object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresStartSync
+
+This event signals the start of telemetry collection for CPU cores in Appraiser. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelAdd
+
+This event sends true/false compatibility decision data about the CPU. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Armv81Support** Arm v8.1 Atomics support.
+- **Blocking** Appraiser decision about eligibility to upgrade.
+- **CpuFamily** Cpu family.
+- **CpuModel** Cpu model.
+- **CpuStepping** Cpu stepping.
+- **CpuVendor** Cpu vendor.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelRemove
+
+This event indicates that the DecisionSystemProcessorCpuModel object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync
+
+The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd
+
+This event sends compatibility decision data about the CPU, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Blocking** Appraiser OS eligibility decision.
+- **Mhz** CPU speed in MHz.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedRemove
+
+This event indicates that the DecisionSystemProcessorCpuSpeed object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedStartSync
+
+This event collects data for CPU speed in MHz. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionTestAdd
+
+This event provides diagnostic data for testing decision add events. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser binary generating the events.
+- **TestDecisionDataPoint1** Test data point 1.
+- **TestDecisionDataPoint2** Test data point 2.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionTestRemove
+
+This event provides data that allows testing of “Remove” decisions to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionTestStartSync
+
+This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionTpmVersionAdd
+
+This event collects data about the Trusted Platform Module (TPM) in the device. TPM technology is designed to provide hardware-based, security-related functions. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Blocking** Appraiser upgradeability decision based on the device's TPM support.
+- **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionTpmVersionRemove
+
+This event indicates that the DecisionTpmVersion object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionTpmVersionStartSync
+
+The DecisionTpmVersionStartSync event indicates that a new set of DecisionTpmVersionAdd events will be sent. This event is used to make compatibility decisions about the TPM. Microsoft uses this information to understand and address problems regarding the TPM for computers receiving updates. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootAdd
+
+This event collects information about data on support and state of UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Blocking** Appraiser upgradeability decision when checking for UEFI support.
+- **SecureBootCapable** Is UEFI supported?
+- **SecureBootEnabled** Is UEFI enabled?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootRemove
+
+This event indicates that the DecisionUefiSecureBoot object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootStartSync
+
+Start sync event data for UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **NewData** The data in the registry value after the scan completed.
+- **OldData** The previous data in the registry value before the scan ran.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RegKey** The registry key name for which a result is being sent.
+- **RegValue** The registry value for which a result is being sent.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **AvDisplayName** If the app is an antivirus app, this is its display name.
+- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
+- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName** The company name of the vendor who developed this file.
+- **FileId** A hash that uniquely identifies a file.
+- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file.
+- **IsAv** Indicates whether the file an antivirus reporting EXE.
+- **LinkDate** The date and time that this file was linked on.
+- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
+- **Name** The name of the file that was inventoried.
+- **ProductName** The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size** The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **HasLanguagePack** Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount** The number of language packs are installed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **EverLaunched** Has Windows Media Center ever been launched?
+- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
+- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
+- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported** Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
+
+This event indicates that the InventoryMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **biosDate** The release date of the BIOS in UTC format.
+- **BiosDate** The release date of the BIOS in UTC format.
+- **biosName** The name field from Win32_BIOS.
+- **BiosName** The name field from Win32_BIOS.
+- **manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **model** The model field from Win32_ComputerSystem.
+- **Model** The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+This event indicates that the InventorySystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryTestAdd
+
+This event provides diagnostic data for testing event adds to help keep windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the component sending the data.
+- **TestInvDataPoint1** Test inventory data point 1.
+- **TestInvDataPoint2** Test inventory data point 2.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryTestRemove
+
+This event provides data that allows testing of “Remove” decisions to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryTestStartSync
+
+This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BootCritical** Is the driver package marked as boot critical?
+- **Build** The build value from the driver package.
+- **CatalogFile** The name of the catalog file within the driver package.
+- **Class** The device class from the driver package.
+- **ClassGuid** The device class unique ID from the driver package.
+- **Date** The date from the driver package.
+- **Inbox** Is the driver package of a driver that is included with Windows?
+- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider** The provider of the driver package.
+- **PublishedName** The name of the INF file after it was renamed.
+- **Revision** The revision of the driver package.
+- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
+- **VersionMajor** The major version of the driver package.
+- **VersionMinor** The minor version of the driver package.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated** Was a memory requirement violated?
+- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram** The amount of memory on the device.
+- **ramKB** The amount of memory (in KB).
+- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB** The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **CompareExchange128Support** Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+This event indicates that the SystemProcessorCompareExchange object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+This event indicates that the SystemProcessorLahfSahf object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport** Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **PrefetchWSupport** Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport** Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
+- **MaximumTouches** The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+This event indicates that the SystemTouch object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IsWimBoot** Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+This event indicates that the SystemWim object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision** Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver** Does the device have an emulated WLAN driver?
+- **WlanExists** Does the device support WLAN at all?
+- **WlanModulePresent** Are any WLAN modules present?
+- **WlanNativeDriver** Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanRemove
+
+This event indicates that the SystemWlan object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal** Obsolete, always set to false.
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **CountCustomSdbs** The number of custom Sdbs used by Appraiser.
+- **CustomSdbGuids** Guids of the custom Sdbs used by Appraiser; Semicolon delimited list.
+- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InboxDataVersion** The original version of the data files before retrieving any newer version.
+- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated.
+- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The hresult of the Appraiser diagnostic data run.
+- **ScheduledUploadDay** The day scheduled for the upload.
+- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **TelementrySent** Indicates whether diagnostic data was successfully sent.
+- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
+- **Time** The client time of the event.
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Same as NeedsDismissAction.
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmRemove
+
+This event indicates that the Wmdrm object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
+
+The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+## Census events
+
+### Census.App
+
+This event sends version data about the Apps running on this device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserTaskEnabled** Whether the Appraiser task is enabled.
+- **CensusVersion** The version of Census that generated the current data for this device.
+
+
+### Census.Azure
+
+This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **CloudCoreBuildEx** The Azure CloudCore build number.
+- **CloudCoreSupportBuildEx** The Azure CloudCore support build number.
+- **NodeID** The node identifier on the device that indicates whether the device is part of the Azure fleet.
+
+
+### Census.Battery
+
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **InternalBatteryCapablities** Represents information about what the battery is capable of doing.
+- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
+- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
+- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **AADDeviceId** Azure Active Directory device ID.
+- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
+- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **CDJType** Represents the type of cloud domain joined for the machine.
+- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **ContainerType** The type of container, such as process or virtual machine hosted.
+- **EnrollmentType** Defines the type of MDM enrollment on the device.
+- **HashedDomain** The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet** Represents if the device can do device encryption.
+- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
+- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
+- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
+- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+
+
+### Census.Firmware
+
+This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS).
+- **FirmwareReleaseDate** Represents the date the current firmware was released.
+- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI.
+- **FirmwareVersion** Represents the version of the current firmware.
+
+
+### Census.Flighting
+
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **DriverTargetRing** Indicates if the device is participating in receiving pre-release drivers and firmware contrent.
+- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
+- **FlightIds** A list of the different Windows Insider builds on this device.
+- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
+- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
+- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
+- **SSRK** Retrieves the mobile targeting settings.
+
+
+### Census.Hardware
+
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ActiveMicCount** The number of active microphones attached to the device.
+- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
+- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
+- **D3DMaxFeatureLevel** Supported Direct3D version.
+- **DeviceForm** Indicates the form as per the device classification.
+- **DeviceName** The device name that is set by the user.
+- **DigitizerSupport** Is a digitizer supported?
+- **EnclosureKind** Windows.Devices.Enclosure.EnclosureKind enum values representing each unique enclosure posture kind.
+- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation).
+- **InventoryId** The device ID used for compatibility testing.
+- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass).
+- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.)
+- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
+- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
+- **OEMModelBaseBoard** The baseboard model used by the OEM.
+- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices.
+- **OEMModelNumber** The device model number.
+- **OEMModelSKU** The device edition that is defined by the manufacturer.
+- **OEMModelSystemFamily** The system family set on the device by an OEM.
+- **OEMModelSystemVersion** The system model version set on the device by the OEM.
+- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary.
+- **OEMSerialNumber** The serial number of the device that is set by the manufacturer.
+- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
+- **SoCName** The firmware manufacturer of the device.
+- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TPMManufacturerId** The ID of the TPM manufacturer.
+- **TPMManufacturerVersion** The version of the TPM manufacturer.
+- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM** Represents the physical memory (in MB).
+- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry.
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **ModemOptionalCapabilityBitMap0** A bit map of optional capabilities in modem, such as eSIM support.
+- **NetworkAdapterGUID** The GUID of the primary network adapter.
+- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SupportedDataClassBitMap0** A bit map of the supported data classes (i.g, 5g 4g...) that the modem is capable of.
+- **SupportedDataSubClassBitMap0** A bit map of data subclasses that the modem is capable of.
+
+
+### Census.OS
+
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
+- **AssignedAccessStatus** Kiosk configuration mode.
+- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
+- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
+- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
+- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
+- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **InstallLanguage** The first language installed on the user machine.
+- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode.
+- **IsEduData** Returns Boolean if the education data policy is enabled.
+- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
+- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
+- **LanguagePacks** The list of language packages installed on the device.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
+- **OSEdition** Retrieves the version of the current OS.
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
+- **OSSKU** Retrieves the Friendly Name of OS Edition.
+- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
+- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines.
+- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS.
+- **ProductActivationResult** Returns Boolean if the OS Activation was successful.
+- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues.
+- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key.
+- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy.
+- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
+- **ServiceProductKeyID** Retrieves the License key of the KMS
+- **SharedPCMode** Returns Boolean for education devices used as shared cart
+- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **SLICStatus** Whether a SLIC table exists on the device.
+- **SLICVersion** Returns OS type/version from SLIC table.
+
+
+### Census.PrivacySettings
+
+This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **Activity** Current state of the activity history setting.
+- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting.
+- **ActivityHistoryCollection** Current state of the activity history collection setting.
+- **AdvertisingId** Current state of the advertising ID setting.
+- **AppDiagnostics** Current state of the app diagnostics setting.
+- **Appointments** Current state of the calendar setting.
+- **Bluetooth** Current state of the Bluetooth capability setting.
+- **BluetoothSync** Current state of the Bluetooth sync capability setting.
+- **BroadFileSystemAccess** Current state of the broad file system access setting.
+- **CellularData** Current state of the cellular data capability setting.
+- **Chat** Current state of the chat setting.
+- **Contacts** Current state of the contacts setting.
+- **DocumentsLibrary** Current state of the documents library setting.
+- **Email** Current state of the email setting.
+- **FindMyDevice** Current state of the "find my device" setting.
+- **GazeInput** Current state of the gaze input setting.
+- **HumanInterfaceDevice** Current state of the human interface device setting.
+- **InkTypeImprovement** Current state of the improve inking and typing setting.
+- **Location** Current state of the location setting.
+- **LocationHistory** Current state of the location history setting.
+- **Microphone** Current state of the microphone setting.
+- **PhoneCall** Current state of the phone call setting.
+- **PhoneCallHistory** Current state of the call history setting.
+- **PicturesLibrary** Current state of the pictures library setting.
+- **Radios** Current state of the radios setting.
+- **SensorsCustom** Current state of the custom sensor setting.
+- **SerialCommunication** Current state of the serial communication setting.
+- **Sms** Current state of the text messaging setting.
+- **SpeechPersonalization** Current state of the speech services setting.
+- **USB** Current state of the USB setting.
+- **UserAccountInformation** Current state of the account information setting.
+- **UserDataTasks** Current state of the tasks setting.
+- **UserNotificationListener** Current state of the notifications setting.
+- **VideosLibrary** Current state of the videos library setting.
+- **Webcam** Current state of the camera setting.
+- **WifiData** Current state of the Wi-Fi data setting.
+- **WiFiDirect** Current state of the Wi-Fi direct setting.
+
+
+### Census.Processor
+
+This event sends data about the processor to help keep Windows up to date.
+
+The following fields are available:
+
+- **KvaShadow** This is the micro code information of the processor.
+- **MMSettingOverride** Microcode setting of the processor.
+- **MMSettingOverrideMask** Microcode setting override of the processor.
+- **PreviousUpdateRevision** Previous microcode revision
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
+- **ProcessorClockSpeed** Clock speed of the processor in MHz.
+- **ProcessorCores** Number of logical cores in the processor.
+- **ProcessorIdentifier** Processor Identifier of a manufacturer.
+- **ProcessorManufacturer** Name of the processor manufacturer.
+- **ProcessorModel** Name of the processor model.
+- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **ProcessorUpdateRevision** The microcode revision.
+- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status
+- **SocketCount** Count of CPU sockets.
+- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+
+
+### Census.Security
+
+This event provides information about security settings. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard.
+- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
+- **DGState** This field summarizes the Device Guard state.
+- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
+- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host.
+- **IsWdagFeatureEnabled** Indicates whether Windows Defender Application Guard is enabled.
+- **NGCSecurityProperties** String representation of NGC security information.
+- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
+- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **ShadowStack** The bit fields of SYSTEM_SHADOW_STACK_INFORMATION representing the state of the Intel CET (Control Enforcement Technology) hardware security feature.
+- **SModeState** The Windows S mode trail state.
+- **SystemGuardState** Indicates the SystemGuard state. NotCapable (0), Capable (1), Enabled (2), Error (0xFF).
+- **TpmReadyState** Indicates the TPM ready state. NotReady (0), ReadyForStorage (1), ReadyForAttestation (2), Error (0xFF).
+- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running.
+- **WdagPolicyValue** The Windows Defender Application Guard policy.
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KeyVer** Version information for the census speech event.
+- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference.
+
+
+### Census.Storage
+
+This event sends data about the total capacity of the system volume and primary disk. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB.
+- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device.
+- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
+
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CalendarType** The calendar identifiers that are used to specify different calendars.
+- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser.
+- **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function.
+- **LongDateFormat** The long date format the user has selected.
+- **ShortDateFormat** The short date format the user has selected.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
+- **VRAMDedicated** Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.UserNLS
+
+This event sends data about the default app language, input, and display language preferences set by the user. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DefaultAppLanguage** The current user Default App Language.
+- **DisplayLanguage** The current user preferred Windows Display Language.
+- **HomeLocation** The current user location, which is populated using GetUserGeoId() function.
+- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
+- **SpeechInputLanguages** The Speech Input languages installed on the device.
+
+
+### Census.UserPrivacySettings
+
+This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **Activity** Current state of the activity history setting.
+- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting.
+- **ActivityHistoryCollection** Current state of the activity history collection setting.
+- **AdvertisingId** Current state of the advertising ID setting.
+- **AppDiagnostics** Current state of the app diagnostics setting.
+- **Appointments** Current state of the calendar setting.
+- **Bluetooth** Current state of the Bluetooth capability setting.
+- **BluetoothSync** Current state of the Bluetooth sync capability setting.
+- **BroadFileSystemAccess** Current state of the broad file system access setting.
+- **CellularData** Current state of the cellular data capability setting.
+- **Chat** Current state of the chat setting.
+- **Contacts** Current state of the contacts setting.
+- **DocumentsLibrary** Current state of the documents library setting.
+- **Email** Current state of the email setting.
+- **GazeInput** Current state of the gaze input setting.
+- **HumanInterfaceDevice** Current state of the human interface device setting.
+- **InkTypeImprovement** Current state of the improve inking and typing setting.
+- **InkTypePersonalization** Current state of the inking and typing personalization setting.
+- **Location** Current state of the location setting.
+- **LocationHistory** Current state of the location history setting.
+- **Microphone** Current state of the microphone setting.
+- **PhoneCall** Current state of the phone call setting.
+- **PhoneCallHistory** Current state of the call history setting.
+- **PicturesLibrary** Current state of the pictures library setting.
+- **Radios** Current state of the radios setting.
+- **SensorsCustom** Current state of the custom sensor setting.
+- **SerialCommunication** Current state of the serial communication setting.
+- **Sms** Current state of the text messaging setting.
+- **SpeechPersonalization** Current state of the speech services setting.
+- **USB** Current state of the USB setting.
+- **UserAccountInformation** Current state of the account information setting.
+- **UserDataTasks** Current state of the tasks setting.
+- **UserNotificationListener** Current state of the notifications setting.
+- **VideosLibrary** Current state of the videos library setting.
+- **Webcam** Current state of the camera setting.
+- **WifiData** Current state of the Wi-Fi data setting.
+- **WiFiDirect** Current state of the Wi-Fi direct setting.
+
+
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
+- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
+- **IsVDI** Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
+- **IsWVDSessionHost** Indicates if this is a Windows Virtual Device session host.
+- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
+- **VMId** A string that identifies a virtual machine.
+- **WVDEnvironment** Represents the WVD service environment to which this session host has been joined.
+
+
+### Census.WU
+
+This event sends data about the Windows update server and other App store policies. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading.
+- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
+- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
+- **IsHotPatchEnrolled** Represents the current state of the device in relation to enrollment in the hotpatch program.
+- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
+- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **OSRollbackCount** The number of times feature updates have rolled back on the device.
+- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
+- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
+- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
+- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default.
+- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
+- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades.
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WULCUVersion** Version of the LCU Installed on the machine.
+- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
+- **WUPauseState** Retrieves WU setting to determine if updates are paused.
+- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId** Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft.
+
+
+## Cloud experience host events
+
+### Microsoft.Windows.Shell.CloudExperienceHost.AppActivityRequired
+
+This event is a WIL activity starting at the beginning of the Windows OOBE CloudExperienceHost scenario, and ending at the scenario completion. Its main purpose is to help detect blocking errors occurring during OOBE flow. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **appResult** The AppResult for the CXH OOBE scenario, e.g. "success" or "fail". This is logged on scenario completion, i.e. with the stop event.
+- **experience** A JSON blob containing properties pertinent for the CXH scenario launch, with PII removed. Examples: host, port, protocol, surface. Logged on the start event.
+- **source** The scenario for which CXH was launched. Since this event is restricted to OOBE timeframe, this will be FRXINCLUSIVE or FRXOOBELITE. Logged with the start event.
+- **wilActivity** Common data logged with all Wil activities. See [wilActivity](#wilactivity).
+
+
+### Microsoft.Windows.Shell.CloudExperienceHost.ExpectedReboot
+
+This event fires during OOBE when an expected reboot occurs- for example, as a result of language change or autopilot. The event doesn't fire if the user forcibly initiates a reboot/shutdown. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **wilActivity** Common data logged with all Wil activities.
+
+
+## Code Integrity events
+
+### Microsoft.Windows.Security.CodeIntegrity.State.Current
+
+This event indicates the overall CodeIntegrity Policy state and count of policies, fired on reboot and when policy changes rebootlessly. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **EModeEnabled** Whether policy that defines "E Mode" is present and active on device.
+- **GlobalCiPolicyState** Bitfield containing global CodeIntegrity State (Audit Mode, etc.).
+- **PolicyCount** Number of CodeIntegrity policies present on device.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.State.IsProductionConfiguration
+
+This event logs device production configuration status information. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **ErrorCode** Error code returned by WldpIsProductionConfiguration API.
+- **FailedConfigurationChecks** Bits indicating list of configuration checks that the device failed.
+- **RequiredConfigurationChecks** Bits indicating list of configuration checks that are required to run for the device.
+- **WldpIsWcosProductionConfiguration** Boolean value indicating whether the device is properly configured for production or not.
+
+
+### Microsoft.Windows.Security.CodeIntegrity.State.PolicyDetails
+
+This individual policy state event fires once per policy on reboot and whenever any policy change occurs rebootlessly. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **BasePolicyId** ID of the base policy this policy supplements if this is a supplemental. Same as PolicyID if this is a base policy.
+- **IsBasePolicy** True if this is a base policy.
+- **IsLegacyPolicy** True if this policy is one of the legacy policy types (WinSiPolicy/AtpSiPolicy/SiPolicy.p7b), as opposed to being the new multiple policy format (guid.cip).
+- **PolicyAllowKernelSigners** Whether Secureboot allows custom kernel signers for the policy's SignatureType.
+- **PolicyCount** Total number of policies.
+- **PolicyHVCIOptions** HVCI related bitfield.
+- **PolicyId** ID of this policy.
+- **PolicyIndex** Index of this policy in total number of policies.
+- **PolicyInfoId** String ID defined in policy securesettings.
+- **PolicyInfoName** String policy name defined in securesettings.
+- **PolicyOptions** Bitfield of RuleOptions defined in policy.
+- **PolicyVersionEx** Policy version # used for rollback protection of signed policy.
+- **SignatureType** Enum containing info about policy signer if one is present (e.g. windows signed).
+
+
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env** The environment from which the event was logged.
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **locale** The locale of the app.
+- **name** The name of the app.
+- **userId** The userID as known by the application.
+- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **epoch** An ID that's incremented for each SDK initialization.
+- **localId** The device ID as known by the client.
+- **osVer** The operating system version.
+- **seq** An ID that's incremented for each event.
+- **type** The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass** The device classification. For example, Desktop, Server, or Mobile.
+- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **make** Device manufacturer.
+- **model** Device model.
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **data** Represents the optional unique diagnostic data for a particular event schema.
+- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv).
+- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
+- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **name** Represents the uniquely qualified name for the event.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.mscv
+
+Describes the correlation vector-related fields.
+
+The following fields are available:
+
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related events across component boundaries.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+- **name** Represents the operating system name.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.sdk
+
+Used by platform specific libraries to record fields that are required for a specific SDK.
+
+The following fields are available:
+
+- **epoch** An ID that is incremented for each SDK initialization.
+- **installId** An ID that's created during the initialization of the SDK for the first time.
+- **libVer** The SDK version.
+- **seq** An ID that is incremented for each event.
+- **ver** The version of the logging SDK.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **locale** The language and region.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **eventFlags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **loggingBinary** The binary (executable, library, driver, etc.) that fired the event.
+- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op** Represents the ETW Op Code.
+- **pgName** The short form of the provider group name associated with the event.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **providerGuid** The ETW provider ID associated with the provider name.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **wcmp** The Windows Shell Composer ID.
+- **wPId** The Windows Core OS product ID.
+- **wsId** The Windows Core OS session ID.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims** Any additional claims whose short claim name hasn't been added to this structure.
+- **did** XBOX device ID
+- **dty** XBOX device type
+- **dvr** The version of the operating system on the device.
+- **eid** A unique ID that represents the developer entity.
+- **exp** Expiration time
+- **ip** The IP address of the client device.
+- **nbf** Not before time
+- **pid** A comma separated list of PUIDs listed as base10 numbers.
+- **sbx** XBOX sandbox identifier
+- **sid** The service instance ID.
+- **sty** The service type.
+- **tid** The XBOX Live title ID.
+- **tvr** The XBOX Live title version.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid** A list of base10-encoded XBOX User IDs.
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
+## Component-based servicing events
+
+### CbsServicingProvider.CbsCapabilityEnumeration
+
+This event reports on the results of scanning for optional Windows content on Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **architecture** Indicates the scan was limited to the specified architecture.
+- **capabilityCount** The number of optional content packages found during the scan.
+- **clientId** The name of the application requesting the optional content.
+- **duration** The amount of time it took to complete the scan.
+- **hrStatus** The HReturn code of the scan.
+- **language** Indicates the scan was limited to the specified language.
+- **majorVersion** Indicates the scan was limited to the specified major version.
+- **minorVersion** Indicates the scan was limited to the specified minor version.
+- **namespace** Indicates the scan was limited to packages in the specified namespace.
+- **sourceFilter** A bitmask indicating the scan checked for locally available optional content.
+- **stackBuild** The build number of the servicing stack.
+- **stackMajorVersion** The major version number of the servicing stack.
+- **stackMinorVersion** The minor version number of the servicing stack.
+- **stackRevision** The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionFinalize
+
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **capabilities** The names of the optional content packages that were installed.
+- **clientId** The name of the application requesting the optional content.
+- **currentID** The ID of the current install session.
+- **downloadSource** The source of the download.
+- **highestState** The highest final install state of the optional content.
+- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version.
+- **hrStatus** The HReturn code of the install operation.
+- **rebootCount** The number of reboots required to complete the install.
+- **retryID** The session ID that will be used to retry a failed operation.
+- **retryStatus** Indicates whether the install will be retried in the event of failure.
+- **stackBuild** The build number of the servicing stack.
+- **stackMajorVersion** The major version number of the servicing stack.
+- **stackMinorVersion** The minor version number of the servicing stack.
+- **stackRevision** The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionPended
+
+This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date.
+
+The following fields are available:
+
+- **clientId** The name of the application requesting the optional content.
+- **pendingDecision** Indicates the cause of reboot, if applicable.
+
+
+### CbsServicingProvider.CbsPackageRemoval
+
+This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build number of the security update being uninstalled.
+- **clientId** The name of the application requesting the uninstall.
+- **currentStateEnd** The final state of the update after the operation.
+- **failureDetails** Information about the cause of a failure, if applicable.
+- **failureSourceEnd** The stage during the uninstall where the failure occurred.
+- **hrStatusEnd** The overall exit code of the operation.
+- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image.
+- **majorVersion** The major version number of the security update being uninstalled.
+- **minorVersion** The minor version number of the security update being uninstalled.
+- **originalState** The starting state of the update before the operation.
+- **pendingDecision** Indicates the cause of reboot, if applicable.
+- **primitiveExecutionContext** The state during system startup when the uninstall was completed.
+- **revisionVersion** The revision number of the security update being uninstalled.
+- **transactionCanceled** Indicates whether the uninstall was cancelled.
+
+
+### CbsServicingProvider.CbsQualityUpdateInstall
+
+This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build version number of the update package.
+- **clientId** The name of the application requesting the optional content.
+- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device.
+- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure.
+- **currentStateEnd** The final state of the package after the operation has completed.
+- **doqTimeSeconds** The time in seconds spent updating drivers.
+- **executeTimeSeconds** The number of seconds required to execute the install.
+- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred.
+- **hrStatusEnd** The return code of the install operation.
+- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file.
+- **majorVersion** The major version number of the update package.
+- **minorVersion** The minor version number of the update package.
+- **originalState** The starting state of the package.
+- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation.
+- **planTimeSeconds** The time in seconds required to plan the update operations.
+- **poqTimeSeconds** The time in seconds processing file and registry operations.
+- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update.
+- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot.
+- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed.
+- **rebootCount** The number of reboots required to install the update.
+- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update.
+- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update.
+- **revisionVersion** The revision version number of the update package.
+- **rptTimeSeconds** The time in seconds spent executing installer plugins.
+- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update.
+- **stackRevision** The revision number of the servicing stack.
+- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update.
+
+
+### CbsServicingProvider.CbsSelectableUpdateChangeV2
+
+This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date.
+
+The following fields are available:
+
+- **applicableUpdateState** Indicates the highest applicable state of the optional content.
+- **buildVersion** The build version of the package being installed.
+- **clientId** The name of the application requesting the optional content change.
+- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations.
+- **executionSequence** A counter that tracks the number of servicing operations attempted on the device.
+- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable.
+- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable.
+- **hrDownloadResult** The return code of the download operation.
+- **hrStatusUpdate** The return code of the servicing operation.
+- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled.
+- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows.
+- **majorVersion** The major version of the package being installed.
+- **minorVersion** The minor version of the package being installed.
+- **packageArchitecture** The architecture of the package being installed.
+- **packageLanguage** The language of the package being installed.
+- **packageName** The name of the package being installed.
+- **rebootRequired** Indicates whether a reboot is required to complete the operation.
+- **revisionVersion** The revision number of the package being installed.
+- **stackBuild** The build number of the servicing stack binary performing the installation.
+- **stackMajorVersion** The major version number of the servicing stack binary performing the installation.
+- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation.
+- **stackRevision** The revision number of the servicing stack binary performing the installation.
+- **updateName** The name of the optional Windows Operation System feature being enabled or disabled.
+- **updateStartState** A value indicating the state of the optional content before the operation started.
+- **updateTargetState** A value indicating the desired state of the optional content.
+
+
+### CbsServicingProvider.CbsUpdateDeferred
+
+This event reports the results of deferring Windows Content to keep Windows up to date.
+
+
+
+### Microsoft.Windows.CbsLite.CbsLiteFinalizeCommit
+
+The event reports basic information about the end of the last phase of updates. The data collected with this event is used to keep windows up to date.
+
+The following fields are available:
+
+- **bootAvailable** Indicates if storage pool version supports Oneshot Boot functionality.
+- **cbsLiteSessionID** An ID to associate other cbs events related to this update session.
+- **duration** The number of milliseconds taken to complete the operation.
+- **result** The return code of the operation.
+
+
+### Microsoft.Windows.CbsLite.CbsLiteUpdateReserve
+
+This event updates the size of the update reserve on WCOS devices. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **cbsLiteSessionID** The ID of the CBS Lite Session.
+- **CurrentReserveCapacityBytes** Indicates the size of the reserve before the change.
+- **NewReserveCapacityBytes** Indicates the new size of the reserve.
+- **ReserveId** The ID of the reserve changed.
+- **Result** The return code for the operation.
+
+
+## Deployment events
+
+### Microsoft.Windows.Deployment.Imaging.AppExit
+
+This event is sent on imaging application exit. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **hr** HResult returned from app exit.
+- **totalTimeInMs** Total time taken in Ms.
+
+
+### Microsoft.Windows.Deployment.Imaging.AppInvoked
+
+This event is sent when the app for image creation is invoked. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **branch** Corresponding branch for the image.
+- **isInDbg** Whether the app is in debug mode or not.
+- **isWSK** Whether the app is building images using WSK or not.
+
+
+### Microsoft.Windows.Deployment.Imaging.Failed
+
+This failure event is sent when imaging fails. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **cs** Line that failed.
+- **ec** Execution status.
+- **hr** HResult returned.
+- **msg** Message returned.
+- **stack** Stack information.
+
+
+### Microsoft.Windows.Deployment.Imaging.ImagingCompleted
+
+This event is sent when imaging is done. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **appExecTimeInMs** Execution time in milliseconds.
+- **buildInfo** Information of the build.
+- **compDbPrepTimeInMs** Preparation time in milliseconds for the CompDBs.
+- **executeUpdateTimeInMs** Update execution time in milliseconds.
+- **fileStageTimeInMs** File staging time in milliseconds.
+- **hr** HResult returned from imaging.
+- **imgSizeInMB** Image size in MB.
+- **mutexWaitTimeInMs** Mutex wait time in milliseconds.
+- **prepareUpdateTimeInMs** Update preparation time in milliseconds.
+- **totalRunTimeInMs** Total running time in milliseconds.
+- **updateOsTimeInMs** Time in milliseconds spent in update OS.
+
+
+### Microsoft.Windows.Deployment.Imaging.ImagingStarted
+
+This event is sent when an imaging session starts. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **arch** Architecture of the image.
+- **device** Device type for which the image is built.
+- **imgFormat** Format of the image.
+- **imgSkip** Parameter for skipping certain image types when building.
+- **imgType** The type of image being built.
+- **lang** Language of the image being built.
+- **prod** Image product type.
+
+
+## Diagnostic data events
+
+### TelClientSynthetic.AbnormalShutdown_0
+
+This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event.
+- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown.
+- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in.
+- **BatteryLevelAtLastShutdown** The last recorded battery level.
+- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown.
+- **CrashDumpEnabled** Are crash dumps enabled?
+- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset.
+- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported.
+- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware.
+- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware.
+- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware.
+- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware.
+- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not.
+- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType.
+- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset.
+- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not.
+- **InvalidBootStat** This is a sanity check flag that ensures the validity of the bootstat file.
+- **LastBugCheckBootId** bootId of the last captured crash.
+- **LastBugCheckCode** Code that indicates the type of error.
+- **LastBugCheckContextFlags** Additional crash dump settings.
+- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save.
+- **LastBugCheckOtherSettings** Other crash dump settings.
+- **LastBugCheckParameter1** The first parameter with additional info on the type of the error.
+- **LastBugCheckProgress** Progress towards writing out the last crash dump.
+- **LastBugCheckVersion** The version of the information struct written during the crash.
+- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown.
+- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button.
+- **LongPowerButtonPressInstanceGuid** The Instance GUID for the user state of pressing and holding the power button.
+- **OOBEInProgress** Identifies if OOBE is running.
+- **OSSetupInProgress** Identifies if the operating system setup is running.
+- **PowerButtonCumulativePressCount** How many times has the power button been pressed?
+- **PowerButtonCumulativeReleaseCount** How many times has the power button been released?
+- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics.
+- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed.
+- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed.
+- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released.
+- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released.
+- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed.
+- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed.
+- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on.
+- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
+- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
+- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file.
+- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid.
+- **StaleBootStatData** Identifies if the data from bootstat is stale.
+- **TransitionInfoBootId** BootId of the captured transition info.
+- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode.
+- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode.
+- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode.
+- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode.
+- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp,
+- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved.
+- **TransitionInfoLidState** Describes the state of the laptop lid.
+- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed.
+- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode.
+- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode.
+- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running.
+- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed.
+- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed.
+- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition.
+- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint.
+- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational.
+- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host.
+
+
+### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
+
+This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise.
+- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectClearUserIds** True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs.
+- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise.
+- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise.
+- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
+- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
+- **CanIncludeDeviceNameInDiagnosticData** True if we are allowed to add the device name to diagnostic data, false otherwise.
+- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
+- **CanPerformSiufEscalations** True if we can perform SIUF escalation collection, false otherwise.
+- **CanReportScenarios** True if we can report scenario completions, false otherwise.
+- **CanReportUifEscalations** True if we can report UIF escalation, false otherwise.
+- **CanUseAuthenticatedProxy** True if we can use authenticated proxy, false otherwise.
+- **IsProcessorMode** True if it is Processor Mode, false otherwise.
+- **PreviousPermissions** Bitmask of previous telemetry state.
+- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
+
+
+### TelClientSynthetic.AuthorizationInfo_Startup
+
+This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise.
+- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectClearUserIds** True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs.
+- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise.
+- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise.
+- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
+- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
+- **CanIncludeDeviceNameInDiagnosticData** True if we are allowed to add the device name to diagnostic data, false otherwise.
+- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
+- **CanPerformSiufEscalations** True if we can perform System Initiated User Feedback escalation collection, false otherwise.
+- **CanReportScenarios** True if we can report scenario completions, false otherwise.
+- **CanReportUifEscalations** True if we can perform User Initiated Feedback escalation collection, false otherwise.
+- **CanUseAuthenticatedProxy** True if we can use an authenticated proxy to send data, false otherwise.
+- **IsProcessorMode** True if it is Processor Mode, false otherwise.
+- **PreviousPermissions** Bitmask of previous telemetry state.
+- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
+
+
+### TelClientSynthetic.ConnectivityHeartBeat_0
+
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
+
+The following fields are available:
+
+- **CensusExitCode** Returns last execution codes from census client run.
+- **CensusStartTime** Returns timestamp corresponding to last successful census run.
+- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine.
+- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred.
+- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
+- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
+- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel.
+- **CensusExitCode** The last exit code of the Census task.
+- **CensusStartTime** Time of last Census run.
+- **CensusTaskEnabled** True if Census is enabled, false otherwise.
+- **CompressedBytesUploaded** Number of compressed bytes uploaded.
+- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client.
+- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB.
+- **DbCriticalDroppedCount** Total number of dropped critical events in event DB.
+- **DbDroppedCount** Number of events dropped due to DB fullness.
+- **DbDroppedFailureCount** Number of events dropped due to DB failures.
+- **DbDroppedFullCount** Number of events dropped due to DB fullness.
+- **DecodingDroppedCount** Number of events dropped due to decoding failures.
+- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated.
+- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session.
+- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client.
+- **EventsPersistedCount** Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC.
+- **EventStoreResetCounter** Number of times event DB was reset.
+- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance.
+- **EventsUploaded** Number of events uploaded.
+- **Flags** Flags indicating device state such as network state, battery state, and opt-in state.
+- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full.
+- **HeartBeatSequenceNumber** The sequence number of this heartbeat.
+- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex.
+- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel.
+- **LastEventSizeOffender** Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC.
+- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events).
+- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags.
+- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer.
+- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers.
+- **TopUploaderErrors** List of top errors received from the upload endpoint.
+- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client.
+- **UploaderErrorCount** Number of errors received from the upload endpoint.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
+- **VortexHttpAttempts** Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
+
+
+### TelClientSynthetic.PrivacyGuardReport
+
+Reports that the Connected User Experiences and Telemetry service encountered an event that may contain privacy data. The event contains information needed to identify and study the source event that triggered the report. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **EventEpoch** The epoch in which the source event that triggered the report was fired.
+- **EventName** The name of the source event that triggered the report.
+- **EventSeq** The sequence number of the source event that triggered the report.
+- **FieldName** The field of interest in the source event that triggered the report.
+- **IsAllowedToSend** True if the field of interest was sent unmodified in the source event that triggered the report, false if the field of interest was anonymized.
+- **IsDebug** True if the event was logged in a debug build of Windows.
+- **TelemetryApi** The application programming interface used to log the source event that triggered the report. Current values for this field can be "etw" or "rpc".
+- **TypeAsText** The type of issue detected in the source event that triggered the report. Current values for this field can be "UserName" or "DeviceName".
+
+
+## DISM events
+
+### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
+
+The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **dismInstalledLCUPackageName** The name of the latest installed package.
+
+
+### Microsoft.Windows.StartRepairCore.DISMPendingInstall
+
+The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **dismPendingInstallPackageName** The name of the pending package.
+
+
+### Microsoft.Windows.StartRepairCore.DISMRevertPendingActions
+
+The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+
+
+### Microsoft.Windows.StartRepairCore.DISMUninstallLCU
+
+The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd
+
+The SRT Repair Action End event sends information to report repair operation ended for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **failedUninstallCount** The number of driver updates that failed to uninstall.
+- **failedUninstallFlightIds** The Flight IDs (identifiers of beta releases) of driver updates that failed to uninstall.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRepairAction** The scenario name for a repair.
+- **successfulUninstallCount** The number of successfully uninstalled driver updates.
+- **successfulUninstallFlightIds** The Flight IDs (identifiers of beta releases) of successfully uninstalled driver updates.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionStart
+
+The SRT Repair Action Start event sends information to report repair operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **srtRepairAction** The scenario name for a repair.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
+
+The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **flightIds** The Flight IDs (identifier of the beta release) of found driver updates.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRootCauseDiag** The scenario name for a diagnosis event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
+
+The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **srtRootCauseDiag** The scenario name for a diagnosis event.
+
+
+## Driver installation events
+
+### Microsoft.Windows.DriverInstall.DeviceInstall
+
+This critical event sends information about the driver installation that took place. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ClassGuid** The unique ID for the device class.
+- **ClassLowerFilters** The list of lower filter class drivers.
+- **ClassUpperFilters** The list of upper filter class drivers.
+- **CoInstallers** The list of coinstallers.
+- **ConfigFlags** The device configuration flags.
+- **DeviceConfigured** Indicates whether this device was configured through the kernel configuration.
+- **DeviceInstalled** Indicates whether the legacy install code path was used.
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **DeviceStack** The device stack of the driver being installed.
+- **DriverDate** The date of the driver.
+- **DriverDescription** A description of the driver function.
+- **DriverInfName** Name of the INF file (the setup information file) for the driver.
+- **DriverInfSectionName** Name of the DDInstall section within the driver INF file.
+- **DriverPackageId** The ID of the driver package that is staged to the driver store.
+- **DriverProvider** The driver manufacturer or provider.
+- **DriverUpdated** Indicates whether the driver is replacing an old driver.
+- **DriverVersion** The version of the driver file.
+- **EndTime** The time the installation completed.
+- **Error** Provides the WIN32 error code for the installation.
+- **ExtensionDrivers** List of extension drivers that complement this installation.
+- **FinishInstallAction** Indicates whether the co-installer invoked the finish-install action.
+- **FinishInstallUI** Indicates whether the installation process shows the user interface.
+- **FirmwareDate** The firmware date that will be stored in the EFI System Resource Table (ESRT).
+- **FirmwareRevision** The firmware revision that will be stored in the EFI System Resource Table (ESRT).
+- **FirmwareVersion** The firmware version that will be stored in the EFI System Resource Table (ESRT).
+- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description.
+- **FlightIds** A list of the different Windows Insider builds on the device.
+- **GenericDriver** Indicates whether the driver is a generic driver.
+- **Inbox** Indicates whether the driver package is included with Windows.
+- **InstallDate** The date the driver was installed.
+- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description.
+- **LastInstallFunction** The last install function invoked in a co-installer if the install timeout was reached while a co-installer was executing.
+- **LegacyInstallReasonError** The error code for the legacy installation.
+- **LowerFilters** The list of lower filter drivers.
+- **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance.
+- **NeedReboot** Indicates whether the driver requires a reboot.
+- **OriginalDriverInfName** The original name of the INF file before it was renamed.
+- **ParentDeviceInstanceId** The device instance ID of the parent of the device.
+- **PendedUntilReboot** Indicates whether the installation is pending until the device is rebooted.
+- **Problem** Error code returned by the device after installation.
+- **ProblemStatus** The status of the device after the driver installation.
+- **RebootRequiredReason** DWORD (Double Word—32-bit unsigned integer) containing the reason why the device required a reboot during install.
+- **SecondaryDevice** Indicates whether the device is a secondary device.
+- **ServiceName** The service name of the driver.
+- **SessionGuid** GUID (Globally Unique IDentifier) for the update session.
+- **SetupMode** Indicates whether the driver installation took place before the Out Of Box Experience (OOBE) was completed.
+- **StartTime** The time when the installation started.
+- **SubmissionId** The driver submission identifier assigned by the Windows Hardware Development Center.
+- **UpperFilters** The list of upper filter drivers.
+
+
+### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
+
+This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **DriverUpdated** Indicates whether the driver was updated.
+- **Error** The Win32 error code of the installation.
+- **FlightId** The ID of the Windows Insider build the device received.
+- **InstallDate** The date the driver was installed.
+- **InstallFlags** The driver installation flags.
+- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.)
+- **RebootRequired** Indicates whether a reboot is required after the installation.
+- **RollbackPossible** Indicates whether this driver can be rolled back.
+
+
+### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart
+
+This event sends data about the driver that the new driver installation is replacing. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **FirstInstallDate** The first time a driver was installed on this device.
+- **InstallFlags** Flag indicating how driver setup was called.
+- **LastDriverDate** Date of the driver that is being replaced.
+- **LastDriverInbox** Indicates whether the previous driver was included with Windows.
+- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced.
+- **LastDriverPackageId** ID of the driver package installed on the device before the current install operation began. ID contains the name + architecture + hash.
+- **LastDriverVersion** The version of the driver that is being replaced.
+- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT).
+- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT).
+- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT).
+- **LastInstallDate** The date a driver was last installed on this device.
+- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance.
+- **LastProblem** The previous problem code that was set on the device.
+- **LastProblemStatus** The previous problem code that was set on the device.
+- **LastSubmissionId** The driver submission identifier of the driver that is being replaced.
+
+
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter.
+- **aiSeqId** The event sequence ID.
+- **bootId** The system boot ID.
+- **BrightnessVersionViaDDI** The version of the Display Brightness Interface.
+- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
+- **DDIInterfaceVersion** The device driver interface version.
+- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
+- **Display1UMDFilePath** The file path to the location of the Display User Mode Driver in the Driver Store.
+- **DisplayAdapterLuid** The display adapter LUID.
+- **DriverDate** The date of the display driver.
+- **DriverRank** The rank of the display driver.
+- **DriverVersion** The display driver version.
+- **DriverWorkarounds** Numeric value indicating the driver workarounds that are enabled for this device.
+- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
+- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
+- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
+- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store.
+- **GPUDeviceID** The GPU device ID.
+- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID** The GPU revision ID.
+- **GPUVendorID** The GPU vendor ID.
+- **HwFlipQueueSupportState** Numeric value indicating the adapter's support for hardware flip queues.
+- **HwSchSupportState** Numeric value indicating the adapter's support for hardware scheduling.
+- **IddPairedRenderAdapterLuid** Identifier for the render adapter paired with this display adapter.
+- **InterfaceFuncPointersProvided1** Number of device driver interface function pointers provided.
+- **InterfaceFuncPointersProvided2** Number of device driver interface function pointers provided.
+- **InterfaceFuncPointersProvided3** Number of device driver interface function pointers provided.
+- **InterfaceId** The GPU interface ID.
+- **IsDisplayDevice** Does the GPU have displaying capabilities?
+- **IsHwFlipQueueEnabled** Boolean value indicating whether hardware flip queues are enabled.
+- **IsHwSchEnabled** Boolean value indicating whether hardware scheduling is enabled.
+- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsLDA** Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported** Does the GPU support Miracast?
+- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported** Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsPostAdapter** Is this GPU the POST GPU in the device?
+- **IsRemovable** TRUE if the adapter supports being disabled or removed.
+- **IsRenderDevice** Does the GPU have rendering capabilities?
+- **IsSoftwareDevice** Is this a software implementation of the GPU?
+- **IsVirtualRefreshRateSupported** Boolean value indicating whether the adapter supports virtual refresh rates.
+- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store.
+- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **NumNonVidPnTargets** Number of display targets.
+- **NumVidPnSources** The number of supported display output sources.
+- **NumVidPnTargets** The number of supported display output targets.
+- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID** The subsystem ID.
+- **SubVendorID** The GPU sub vendor ID.
+- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version** The event version.
+- **WDDMVersion** The Windows Display Driver Model version.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+
+The following fields are available:
+
+- **AppName** The name of the app that has crashed.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp** The date/time stamp of the app.
+- **AppVersion** The version of the app that has crashed.
+- **ExceptionCode** The exception code returned by the process that has crashed.
+- **ExceptionOffset** The address where the exception had occurred.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
+- **IsFatal** True/False to indicate whether the crash resulted in process termination.
+- **ModName** Exception module name (e.g. bar.dll).
+- **ModTimeStamp** The date/time stamp of the module.
+- **ModVersion** The version of the module that has crashed.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **ProcessId** The ID of the process that has crashed.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported
+- **TargetAsId** The sequence number for the hanging process.
+
+
+## Feature quality events
+
+### Microsoft.Windows.FeatureQuality.Heartbeat
+
+This event indicates the feature status heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **Features** Array of features.
+
+
+### Microsoft.Windows.FeatureQuality.StateChange
+
+This event indicates the change of feature state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **flightId** Flight id.
+- **state** New state.
+
+
+### Microsoft.Windows.FeatureQuality.Status
+
+This event indicates the feature status. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **featureId** Feature id.
+- **flightId** Flight id.
+- **time** Time of status change.
+- **variantId** Variant id.
+
+
+## Feature update events
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
+
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **failureReason** Provides data about the uninstall initialization operation failure.
+- **hr** Provides the Win32 error code for the operation failure.
+
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
+
+This event indicates that the uninstall was properly configured and that a system reboot was initiated. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName** The name of the app that has hung.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion** The version of the app that has hung.
+- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has hung.
+- **ProcessId** The ID of the process that has hung.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported.
+- **TargetAsId** The sequence number for the hanging process.
+- **TypeCode** Bitmap describing the hang type.
+- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
+
+
+## Holographic events
+
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded
+
+This event indicates Windows Mixed Reality device state. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **ClassGuid** Windows Mixed Reality device class GUID.
+- **DeviceInterfaceId** Windows Mixed Reality device interface ID.
+- **DriverVersion** Windows Mixed Reality device driver version.
+- **FirmwareVersion** Windows Mixed Reality firmware version.
+- **Manufacturer** Windows Mixed Reality device manufacturer.
+- **ModelName** Windows Mixed Reality device model name.
+- **SerialNumber** Windows Mixed Reality device serial number.
+
+
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceRemoved
+
+This event indicates Windows Mixed Reality device state. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **DeviceInterfaceId** Device Interface ID.
+
+
+### Microsoft.Windows.Holographic.Coordinator.HoloShellStateUpdated
+
+This event indicates Windows Mixed Reality HoloShell State. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **HmdState** Windows Mixed Reality Headset HMD state.
+- **NewHoloShellState** Windows Mixed Reality HoloShell state.
+- **PriorHoloShellState** Windows Mixed Reality state prior to entering to HoloShell.
+- **SimulationEnabled** Windows Mixed Reality Simulation state.
+
+
+### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated
+
+This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **IsDemoMode** Windows Mixed Reality Portal app state of demo mode.
+- **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion.
+- **PackageVersion** Windows Mixed Reality Portal app package version.
+- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state.
+- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. See [wilActivity](#wilactivity).
+
+
+### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming
+
+This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+
+
+### Microsoft.Windows.Shell.HolographicFirstRun.SomethingWentWrong
+
+This event is emitted when something went wrong error occurs. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **ErrorSource** Source of error, obsoleted always 0.
+- **StartupContext** Start up state.
+- **StatusCode** Error status code.
+- **SubstatusCode** Error sub status code.
+
+
+### TraceLoggingHoloLensSensorsProvider.OnDeviceAdd
+
+This event provides Windows Mixed Reality device state with new process that hosts the driver. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **Process** Process ID.
+- **Thread** Thread ID.
+
+
+### TraceLoggingOasisUsbHostApiProvider.DeviceInformation
+
+This event provides Windows Mixed Reality device information. This event is also used to count WMR device and device type. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BootloaderMajorVer** Windows Mixed Reality device boot loader major version.
+- **BootloaderMinorVer** Windows Mixed Reality device boot loader minor version.
+- **BootloaderRevisionNumber** Windows Mixed Reality device boot loader revision number.
+- **BTHFWMajorVer** Windows Mixed Reality device BTHFW major version. This event also used to count WMR device.
+- **BTHFWMinorVer** Windows Mixed Reality device BTHFW minor version. This event also used to count WMR device.
+- **BTHFWRevisionNumber** Windows Mixed Reality device BTHFW revision number.
+- **CalibrationBlobSize** Windows Mixed Reality device calibration blob size.
+- **CalibrationFwMajorVer** Windows Mixed Reality device calibration firmware major version.
+- **CalibrationFwMinorVer** Windows Mixed Reality device calibration firmware minor version.
+- **CalibrationFwRevNum** Windows Mixed Reality device calibration firmware revision number.
+- **DeviceInfoFlags** Windows Mixed Reality device info flags.
+- **DeviceName** Windows Mixed Reality device Name. This event is also used to count WMR device.
+- **DeviceReleaseNumber** Windows Mixed Reality device release number.
+- **FirmwareMajorVer** Windows Mixed Reality device firmware major version.
+- **FirmwareMinorVer** Windows Mixed Reality device firmware minor version.
+- **FirmwareRevisionNumber** Windows Mixed Reality device calibration firmware revision number.
+- **FpgaFwMajorVer** Windows Mixed Reality device FPGA firmware major version.
+- **FpgaFwMinorVer** Windows Mixed Reality device FPGA firmware minor version.
+- **FpgaFwRevisionNumber** Windows Mixed Reality device FPGA firmware revision number.
+- **FriendlyName** Windows Mixed Reality device friendly name.
+- **HashedSerialNumber** Windows Mixed Reality device hashed serial number.
+- **HeaderSize** Windows Mixed Reality device header size.
+- **HeaderVersion** Windows Mixed Reality device header version.
+- **LicenseKey** Windows Mixed Reality device header license key.
+- **Make** Windows Mixed Reality device make.
+- **ManufacturingDate** Windows Mixed Reality device manufacturing date.
+- **Model** Windows Mixed Reality device model.
+- **PresenceSensorHidVendorPage** Windows Mixed Reality device presence sensor HID vendor page.
+- **PresenceSensorHidVendorUsage** Windows Mixed Reality device presence sensor HID vendor usage.
+- **PresenceSensorUsbVid** Windows Mixed Reality device presence sensor USB VId.
+- **ProductBoardRevision** Windows Mixed Reality device product board revision number.
+- **SerialNumber** Windows Mixed Reality device serial number.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **DriverPackageExtended** A count of driverpackageextended objects in cache.
+- **InventoryApplication** A count of application objects in cache.
+- **InventoryApplicationDriver** A count of application driver objects in cache
+- **InventoryApplicationFramework** A count of application framework objects in cache
+- **InventoryDeviceContainer** A count of device container objects in cache.
+- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass** A count of device media objects in cache.
+- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
+- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache.
+- **InventoryDriverPackage** A count of device objects in cache.
+- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache
+- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache
+- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache
+- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache
+- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache
+- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache
+- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache
+- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd
+
+This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AmHealthy** Indicates if the is device healthy. 0 - Errors found. 1 - No errors. 2 - Unknown. 3 - Advisory.
+- **DevicePathSubtype** The device path subtype associated with the record producer.
+- **DevicePathType** The device path type associated with the record producer.
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordStartSync
+
+This event indicates a new set of InventoryAcpiPhatHealthRecord events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatVersionElementAdd
+
+This event sends basic metadata for ACPI PHAT Version Element structure. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **ProducerId** The ACPI vendor ID.
+- **VersionValue** The 64 bit component version value.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatVersionElementStartSync
+
+This event indicates that a new set of InventoryAcpiPhatVersionElement events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Language** The language code of the program.
+- **LattePackageId** The ID of the Latte package.
+- **MsiInstallDate** The install date recorded in the program's MSI package.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **Name** The name of the application.
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **PackageFullName** The package full name for a Store application.
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **Source** How the program was installed (for example, ARP, MSI, Appx).
+- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version** The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **FileId** A hash that uniquely identifies a file.
+- **Frameworks** The list of frameworks this file depends on.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Categories** A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod** The discovery method for the device container.
+- **FriendlyName** The name of the device container.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **IsActive** Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer** Is the container the root device itself?
+- **IsNetworked** Is this a networked device?
+- **IsPaired** Does the device container require pairing?
+- **Manufacturer** The manufacturer name for the device container.
+- **ModelId** A unique model ID.
+- **ModelName** The model name.
+- **ModelNumber** The model number for the device container.
+- **PrimaryCategory** The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection** Indicates if an Activity Detection sensor is found.
+- **AmbientLight** Indicates if an Ambient Light sensor is found.
+- **Barometer** Indicates if a Barometer sensor is found.
+- **Custom** Indicates if a Custom sensor is found.
+- **EnergyMeter** Indicates if an Energy sensor is found.
+- **FloorElevation** Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector** Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
+- **Humidity** Indicates if a Humidity sensor is found.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
+- **Orientation** Indicates if an Orientation sensor is found.
+- **Pedometer** Indicates if a Pedometer sensor is found.
+- **Proximity** Indicates if a Proximity sensor is found.
+- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
+- **Temperature** Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Audio_CaptureDriver** The Audio device capture driver endpoint.
+- **Audio_RenderDriver** The Audio device render driver endpoint.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. This event is used to understand a PNP device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BusReportedDescription** The description of the device reported by the bux.
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device class GUID from the driver package
+- **COMPID** The device setup class guid of the driver loaded for the device.
+- **ContainerId** The list of compat ids for the device.
+- **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **DeviceInterfaceClasses** The device interfaces that this device implements.
+- **DeviceState** The device description.
+- **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
+- **DriverName** A unique identifier for the driver installed.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage
+- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **Enumerator** The date of the driver loaded for the device.
+- **ExtendedInfs** The extended INF file names.
+- **FirstInstallDate** The first time this device was installed on the machine.
+- **HWID** The version of the driver loaded for the device.
+- **Inf** The bus that enumerated the device.
+- **InstallDate** The date of the most recent installation of the device on the machine.
+- **InstallState** The device installation state. For a list of values, see [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx).
+- **InventoryVersion** List of hardware ids for the device.
+- **LowerClassFilters** Lower filter class drivers IDs installed for the device
+- **LowerFilters** The identifiers of the Lower filters installed for the device.
+- **Manufacturer** The manufacturer of the device.
+- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance.
+- **Model** Identifies the model of the device.
+- **ParentId** The Device Instance ID of the parent of the device.
+- **ProblemCode** The error code currently returned by the device, if applicable.
+- **Provider** Identifies the device provider.
+- **Service** The name of the device service.
+- **STACKID** The list of hardware IDs for the stack.
+- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device.
+- **UpperFilters** The identifiers of the Upper filters installed for the device.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd
+
+This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **Manufacturer** Sensor manufacturer.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorRemove
+
+This event is used to indicate a sensor has been removed from a machine. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorStartSync
+
+This event indicates that a new set of InventoryDeviceSensor events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
+
+This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+- **TotalUserConnectablePorts** Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event sends basic metadata about driver binaries running on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **DriverCheckSum** The checksum of the driver file.
+- **DriverCompany** The company name that developed the driver.
+- **DriverInBox** Is the driver included with the operating system?
+- **DriverIsKernelMode** Is it a kernel mode driver?
+- **DriverName** The file name of the driver.
+- **DriverPackageStrongName** The strong name of the driver package
+- **DriverSigned** The strong name of the driver package
+- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
+- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion** The version of the driver file.
+- **ImageSize** The size of the driver file.
+- **Inf** The name of the INF file.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Product** The product name that is included in the driver file.
+- **ProductVersion** The product version that is included in the driver file.
+- **Service** The name of the service that is installed for the device.
+- **WdfVersion** The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Class** The class name for the device driver.
+- **ClassGuid** The class GUID for the device driver.
+- **Date** The driver package date.
+- **Directory** The path to the driver package.
+- **DriverInBox** Is the driver included with the operating system?
+- **FlightIds** Driver Flight IDs.
+- **Inf** The INF name of the driver package.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Provider** The provider for the driver package.
+- **RecoveryIds** Driver recovery IDs.
+- **SubmissionId** The HLK submission ID for the driver package.
+- **Version** The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
+
+This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly.
+
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
+
+This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd
+
+This event provides basic information about active memory slots on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Capacity** Memory size in bytes
+- **Manufacturer** Name of the DRAM manufacturer
+- **Model** Model and sub-model of the memory
+- **Slot** Slot to which the DRAM is plugged into the motherboard.
+- **Speed** The configured memory slot speed in MHz.
+- **Type** Reports DDR as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2.
+- **TypeDetails** Reports Non-volatile as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
+
+This diagnostic event indicates a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
+
+This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AddinCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInId** The identifier for the Microsoft Office add-in.
+- **AddinType** The type of the Microsoft Office add-in.
+- **BinFileTimestamp** The timestamp of the Office add-in.
+- **BinFileVersion** The version of the Microsoft Office add-in.
+- **Description** Description of the Microsoft Office add-in.
+- **FileId** The file identifier of the Microsoft Office add-in.
+- **FileSize** The file size of the Microsoft Office add-in.
+- **FriendlyName** The friendly name for the Microsoft Office add-in.
+- **FullPath** The full path to the Microsoft Office add-in.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **LoadBehavior** Integer that describes the load behavior.
+- **OfficeApplication** The Microsoft Office application associated with the add-in.
+- **OfficeArchitecture** The architecture of the add-in.
+- **OfficeVersion** The Microsoft Office version for this add-in.
+- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in.
+- **ProductCompany** The name of the company associated with the Office add-in.
+- **ProductName** The product name associated with the Microsoft Office add-in.
+- **ProductVersion** The version associated with the Office add-in.
+- **ProgramId** The unique program identifier of the Microsoft Office add-in.
+- **Provider** Name of the provider for this add-in.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Identifier** UUP identifier
+- **LastActivatedVersion** Last activated version
+- **PreviousVersion** Previous version
+- **Source** UUP source
+- **Version** UUP version
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
+
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.Indicators.Checksum
+
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **ChecksumDictionary** A count of each operating system indicator.
+- **PCFP** Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **IndicatorValue** The indicator value.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+## Kernel events
+
+### Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig
+
+This critical device configuration event provides information about drivers for a driver installation that took place within the kernel. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ClassGuid** The unique ID for the device class.
+- **DeviceInstanceId** The unique ID for the device on the system.
+- **DriverDate** The date of the driver.
+- **DriverFlightIds** The IDs for the driver flights.
+- **DriverInfName** Driver INF file name.
+- **DriverProvider** The driver manufacturer or provider.
+- **DriverSubmissionId** The driver submission ID assigned by the hardware developer center.
+- **DriverVersion** The driver version number.
+- **ExtensionDrivers** The list of extension driver INF files, extension IDs, and associated flight IDs.
+- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description.
+- **InboxDriver** Indicates whether the driver package is included with Windows.
+- **InstallDate** Date the driver was installed.
+- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description.
+- **Legacy** Indicates whether the driver is a legacy driver.
+- **NeedReboot** Indicates whether the driver requires a reboot.
+- **RebootRequiredReason** Provides the reason why a reboot is required.
+- **SetupMode** Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE).
+- **StatusCode** The NTSTATUS of device configuration operation.
+
+
+### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
+
+This event is sent when a problem code is cleared from a device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Count** The total number of events.
+- **DeviceInstanceId** The unique identifier of the device on the system.
+- **LastProblem** The previous problem that was cleared.
+- **LastProblemStatus** The previous NTSTATUS value that was cleared.
+- **ServiceName** The name of the driver or service attached to the device.
+
+
+### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
+
+This event is sent when a new problem code is assigned to a device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Count** The total number of events.
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **LastProblem** The previous problem code that was set on the device.
+- **LastProblemStatus** The previous NTSTATUS value that was set on the device.
+- **Problem** The new problem code that was set on the device.
+- **ProblemStatus** The new NTSTATUS value that was set on the device.
+- **ServiceName** The driver or service name that is attached to the device.
+
+
+### Microsoft.Windows.Kernel.Power.ExecutePowerAction
+
+This event supplies power state transition parameters. This information is used to monitor state transition requests and catch exceptions. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **Disabled** Supplies whether the LocalAction or alternative action can be performed.
+- **LightestState** The lightest state to transmit to.
+- **LocalAction** The updated POWER_ACTION to perform.
+- **LocalActionEventCode** The updated bitmask of level of user notifications.
+- **LocalActionFlags** The updated bitmask of POWER_ACTION_*.
+- **PowerAction** The original POWER_ACTION that the requester intents to perform.
+- **PowerActionEventCode** The original bitmask of level of user notifcations, supplied by the requester.
+- **PowerActionFlags** The original bitmask of level of user notifcations, supplied by requester.
+- **RequesterName** Name of the process raises the request.
+- **RequesterNameLength** Length of RequesterName.
+- **SubstitutionPolicy** The policy to pick substituted states.
+- **TriggerFlags** Bitmask of PO_TRG_*.
+- **TriggerType** Type of the trigger from POWER_POLICY_DEVICE_TYPE.
+- **UserNotify** Bitmask of PO_NOTIFY_EVENT_*.
+
+
+### Microsoft.Windows.Kernel.Power.PreviousShutdownWasThermalShutdown
+
+This event sends Product and Service Performance data on which area of the device exceeded safe temperature limits and caused the device to shutdown. This information is used to ensure devices are behaving as they are expected to. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **temperature** Contains the actual temperature measurement, in tenths of degrees Kelvin, for the area that exceeded the limit.
+- **thermalZone** Contains an identifier that specifies which area it was that exceeded temperature limits.
+
+
+## Manufacturing events
+
+### ManufacturingPlatformTel.ManufacturingPlatformActivityEvent
+
+These is the Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **BootOptionDescription** This field describes the boot option that is retrieved using EFI protocols from the DUT side.
+- **BootOptionDevicePath** The device path for the boot option.
+- **ChunkSizeInBytes** Indicates the chunk size, in bytes, of an FFU image.
+- **CurrentDUTTime** Indicates the time on the DUT (or target device), using EFI protocols, when the event was logged.
+- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved via SMBIOS on the DUT (target device).
+- **DUTActivityGuid** The activity guid, from TraceLoggingActivity, that is associated with that operation on the DUT (target device).
+- **DUTDeviceUniqueId** A GUID that uniquely identifies a target device.
+- **DUTSessionGuid** A GUID that uniquely identifies a section on the DUT (target device).
+- **EventName** Indicates the specific event from ManufacturingPlatform. A list of all possible events can be found in ufptelemetryevents.h. An example is: "GetFlashingImageData" or "GetFlashingStatus".
+- **FFUFilePath** Describes to the name of the FFU file that we are flashing.
+- **FFUHeaderSize** Refers to the size of the header in an FFU image.
+- **FFUPayloadSize** Refers to the payload size of an FFU image.
+- **FieldName** Provides a description of the value field. If relevant, it also includes the unit. Example: "ErrorMessage" or "TimeInSec".
+- **HeaderFileOffset** Indicates the header file offset in an FFU image.
+- **HostStartTime** Refers to the UTC system time on the host that is recorded when the host starts a telemetry logging session on the DUT (target device).
+- **Identifier** Identifies the phase in ManufacturingPlatform we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name.
+- **ImageDeviceTargetInfo** Describes the device target information that has been included in the FFU image. These values can be found in the image header.
+- **ImageHeaderData** Describes critical data in the image header of an FFU image.
+- **OperationName** The name of the operation the host is triggering a logging session on the DUT (target device) for.
+- **PayloadFileOffset** Indicates the header file offset in an FFU image.
+- **SectorSize** Indicates the sector size of the FFU image.
+- **StoreHeaderData** Describes critical data of important fields found in the store header of an FFU image.
+- **UFPImplementationVersionMajor** Implementation major version for the UFP binaries on the DUT (target device) side.
+- **UFPImplementationVersionMinor** Implementation minor version for the UFP binaries on the DUT (target device) side.
+- **UFPProtocolVersionMajor** Protocol major version for the UFP binaries on the DUT (target device) side.
+- **UFPProtocolVersionMinor** Protocol minor version for the UFP binaries on the DUT (target device) side.
+- **ValueStr** The value to be logged. Described by field name and relevant to the event name.
+- **ValueUInt64** The value to be logged. Described by field name and relevant to the event name.
+- **ValueWideStr** The value to log. Described by field name and relevant to the event name.
+
+
+### ManufacturingPlatformTel.ManufacturingPlatformActivityEventStart
+
+This is the Event Start Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved using SMBIOS on the DUT (target device).
+- **m_Identifier** Indicates the phase in ManufacturingPlatform that we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name.
+
+
+### ManufacturingPlatformTel.ManufacturingPlatformActivityEventStop
+
+This is the Event Stop Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DeviceTargetInfo** Describes general manufacturing and product information about the device, retrieved using SMBIOS on the DUT (target device).
+- **m_Identifier** Indicates the phase in ManufacturingPlatform that we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name.
+
+
+### ManufacturingPlatformTel.ManufacturingPlatformEvent
+
+This is the manufacturing event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CurrentDUTTime** Indicates the time on the DUT (or target device) using EFI protocols when the event was logged.
+- **DeviceFriendlyName** Friendly name of the device as retrieved from SMBIOS on the DUT (target device).
+- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved using SMBIOS on the DUT (target device).
+- **DUTActivityGuid** The activity GUID that comes from TraceLoggingActivity associated with that operation on the DUT (target device).
+- **DUTDeviceUniqueId** A GUID to uniquely describes a target device.
+- **DUTSessionGuid** The session GUID given to the DUT (target device) when the host triggers an operation in the DUT.
+- **EventName** Refers to the specific event occurring from ManufacturingPlatform. A list of all possible events can be found in ufptelemetryevents.h. An example is: "GetFlashingImageData" or "GetFlashingStatus"
+- **FieldName** Describes the value field. If relevant it also includes the unit. Example: "ErrorMessage" or "TimeInSec"
+- **HostStartTime** Indicates the UTC system time on the host, recorded when the host starts a telemetry logging session on the DUT (target device)
+- **Identifier** Indicates the phase the ManufacturingPlatform is in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name.
+- **MajorVersionUInt64** Refers to the major version of the host UFP binaries.
+- **MinorVersionUInt64** Refers to the minor version of the host UFP binaries.
+- **OperationName** The name of the operation the host is triggering a logging session on the DUT (target device) for.
+- **ValueStr** The value to log. Described by field name and relevant to the event name.
+- **ValueUInt64** The value to log. Described by field name and relevant to the event name.
+- **ValueWideStr** The value to log. Described by field name and relevant to the event name.
+
+
+## Microsoft Edge events
+
+### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
+- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **installSourceName** A string representation of the installation source.
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **pop_sample** A value indicating how the device's data is being sampled.
+- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process.
+
+
+### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
+- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **installSourceName** A string representation of the installation source.
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **pop_sample** A value indicating how the device's data is being sampled.
+- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process.
+
+
+### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
+- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **installSourceName** A string representation of the installation source.
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **pop_sample** A value indicating how the device's data is being sampled.
+- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process.
+
+
+### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
+- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **installSourceName** A string representation of the installation source.
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **pop_sample** A value indicating how the device's data is being sampled.
+- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process.
+
+
+### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
+
+This Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate service, Edge applications, and the current system environment including app configuration, update configuration, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. One or more events is sent each time any installation, update, or uninstallation occurs with the EdgeUpdate service or with Edge applications. This event is used to measure the reliability and performance of the EdgeUpdate service and if Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date.
+
+The following fields are available:
+
+- **appAp** Any additional parameters for the specified application. Default: ''.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
+- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
+- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
+- **appCohort** A machine-readable string identifying the release cohort (channel) that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
+- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
+- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
+- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
+- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
+- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
+- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
+- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
+- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
+- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
+- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
+- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
+- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
+- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
+- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
+- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
+- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''.
+- **requestDomainJoined** '1' if the machine is part of a managed enterprise domain. Otherwise '0'.
+- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''.
+- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'.
+- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''.
+- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'.
+- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients must always transmit this attribute. Default: undefined.
+- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
+- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
+- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
+- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
+
+
+## Migration events
+
+### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **currentSid** Indicates the user SID for which the migration is being performed.
+- **migDiagSession->CString** The phase of the upgrade where migration occurs. (E.g.: Validate tracked content)
+- **objectCount** The count for the number of objects that are being transferred.
+- **sfInfo.Name** This event identifies the phase of the upgrade where migration happens.
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
+
+This event returns data about the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens.
+- **objectCount** The count of the number of objects that are being transferred.
+- **sfInfo.Name** The predefined folder path locations. For example, FOLDERID_PublicDownloads
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **currentSid** Indicates the user SID for which the migration is being performed.
+- **migDiagSession->CString** The phase of the upgrade where the migration occurs. (For example, Validate tracked content.)
+- **objectCount** The number of objects that are being transferred.
+- **sfInfo.Name** The predefined folder path locations. For example, FOLDERID_PublicDownloads.
+
+
+## OneSettings events
+
+### Microsoft.Windows.OneSettingsClient.Heartbeat
+
+This event indicates the config state heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **Configs** Array of configs.
+
+
+### Microsoft.Windows.OneSettingsClient.StateChange
+
+This event indicates the change in config state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **flightId** Flight id.
+- **state** New state.
+
+
+### Microsoft.Windows.OneSettingsClient.Status
+
+This event indicates the config usage of status update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **flightId** Flight id.
+- **time** Time.
+
+
+## OOBE events
+
+### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateExpeditionChoiceCommitted
+
+This event requests a commit work for expedited update. The data collected with this event is used to help keep Windows secure, up to date, and performing properly.
+
+The following fields are available:
+
+- **oobeExpeditedUpdateCommitOption** Type of commit work for expedited update.
+- **resultCode** HR result of operation.
+
+
+### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdatePageSkipped
+
+This event provides information about skipping expedited update page. The data collected with this event is used to help keep Windows secure, up to date, and performing properly.
+
+The following fields are available:
+
+- **reason** Reason for skip.
+- **skippedReasonFlag** Flag representing reason for skip.
+
+
+### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateStartUSOScan
+
+This event indicates USO Scan API call. The data collected with this event is used to help keep Windows secure, up to date, and performing properly.
+
+The following fields are available:
+
+- **oobeExpeditedUpdateCommitOption** Expedited update commit work type.
+- **resultCode** HR result of operation.
+
+
+### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateStatusResult
+
+This event provides status of expedited update. The data collected with this event is used to help keep Windows secure, up to date, and performing properly.
+
+The following fields are available:
+
+- **oobeExpeditedUpdateStatus** Expedited update status.
+- **reason** Reason for the status.
+- **resultCode** HR result of operation.
+
+
+## Privacy consent logging events
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
+
+This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **presentationVersion** Which display version of the privacy consent experience the user completed
+- **privacyConsentState** The current state of the privacy consent experience
+- **settingsVersion** Which setting version of the privacy consent experience the user completed
+- **userOobeExitReason** The exit reason of the privacy consent experience
+
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus
+
+This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **isAdmin** whether the person who is logging in is an admin
+- **isExistingUser** whether the account existed in a downlevel OS
+- **isLaunching** Whether or not the privacy consent experience will be launched
+- **isSilentElevation** whether the user has most restrictive UAC controls
+- **privacyConsentState** whether the user has completed privacy experience
+- **userRegionCode** The current user's region setting
+
+
+## Servicing API events
+
+### Microsoft.Windows.ServicingUAPI.ModifyFeaturesEnd
+
+This event sends Software Setup and Inventory data regarding the end of an operation to modify a feature. The data collected with this event is used to help keep Windows secure, up to date, and performing properly.
+
+The following fields are available:
+
+- **Actions** A numeric flag that indicates whether the operations are Inbox.
+- **ClientId** A unique, human-readable identifier for telemetry/diagnostic purposes.
+- **Duration** Duration of operation in milliseconds.
+- **Flags** A numeric flag indicating the type of operation being requested.
+- **NetRequiredBytes** Net space required after operation completes or after reboot if operation requires one.
+- **RebootRequired** A true or false value indicating if a reboot is required to complete the operation.
+- **RequiredDownloadBytes** Space required to acquire content (compressed).
+- **Result** HResult at operation end.
+- **TotalMaxRequiredBytes** Total maximum space required during operation.
+
+
+### Microsoft.Windows.ServicingUAPI.ModifyFeaturesResult
+
+This event sends Software Setup and Inventory data regarding a result that occurred during an operation to modify a feature. The data collected with this event is used to help keep Windows secure, up to date, and performing properly.
+
+The following fields are available:
+
+- **ClientId** A unique, human-readable identifier for telemetry/diagnostic purposes.
+- **FeatureIntentFlags** A numeric flag indicating the reason that the feature is being modified.
+- **FeatureName** Feature name which includes language-specific version if in the Language namespace.
+- **FeatureNewIntentFlags** A numeric flag indicating the new reason that the feature is absent or installed.
+- **FeatureNewStateFlags** A numeric flag indicating the new state of the feature.
+- **FeatureStateFlags** A numeric flag indicating the current state of the feature.
+- **Result** HResult from operation to modify a feature.
+
+
+## Setup events
+
+### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStart
+
+This event emits the start of the windows setup boot routine during upgrade. This routine determines the state of the upgrade and handles properly moving the upgrade forward or rolling back the device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Action** It indicates phase/stage of operation.
+- **Detail** It indicates details about the phase/stage of the operation.
+- **Rollback** It is blank as this event triggers in success scenario only.
+- **Status** It indicates details about the status for getting the disk device object during boot.
+
+
+### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStop
+
+This event emits the stop of the windows setup boot routine during upgrade. This routine determines the state of the upgrade and handles properly moving the upgrade forward or rolling back the device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Action** It indicates phase/stage of operation.
+- **Detail** It indicates details about the phase/stage of the operation.
+- **Rollback** It is blank as this event triggers in success scenario only.
+- **Status** It indicates details about the status for getting the disk device object during boot.
+
+
+### Microsoft.Windows.Setup.WinSetupBoot.Success
+
+This event sends data indicating that the device has invoked the WinSetupBoot successfully. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **Action** It indicates phase/stage of operation. As success event fires on exiting the operation, this value must be 'Exiting'.
+- **Duration(ms)** Duration of filter setup instance operation in milliseconds.
+- **Rollback** It is blank as this event triggers in success scenario only.
+
+
+### Microsoft.Windows.Setup.WinSetupBoot.Warning
+
+This event is used to indicate whether there were any warnings when we were trying to skip a reboot during feature upgrade. The data collected with this event helps keep Windows product and service up to date.
+
+The following fields are available:
+
+- **Action** Action indicates what operation was being performed by the filter driver (Ex: Waiting, Exiting).
+- **Detail** Add detail to the operation listed above (Ex: Blocked thread timed out).
+- **Rollback** Indicates whether a rollback was triggered (0 or 1).
+- **Status** Indicates the status code for the operation (Ex: 0, 258 etc.).
+
+
+### Microsoft.Windows.Setup.WinSetupMon.ProtectionViolation
+
+This event provides information about move or deletion of a file or a directory which is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **Path** Path to the file or the directory which is being moved or deleted.
+- **Process** Path to the process which is requesting the move or the deletion.
+- **TargetPath** (Optional) If the operation is a move, the target path to which the file or directory is being moved.
+
+
+### SetupPlatformTel.SetupPlatformTelActivityEvent
+
+This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together.
+- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+The following fields are available:
+
+- **Name** The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStopped
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+
+
+### SetupPlatformTel.SetupPlatformTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together.
+- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
+
+
+## SIH events
+
+### SIHEngineTelemetry.EvalApplicability
+
+This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
+- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **EventInstanceID** A unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
+- **IsExecutingAction** If the action is presently being executed.
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
+- **SihclientVersion** The client version that is being used.
+- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID** A unique identifier for the action being acted upon.
+- **WuapiVersion** The Windows Update API version that is currently installed.
+- **WuaucltVersion** The Windows Update client version that is currently installed.
+- **WuauengVersion** The Windows Update engine version that is currently installed.
+- **WUDeviceID** The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.ExecuteAction
+
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **EventInstanceID** A unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **RebootRequired** Indicates if a reboot was required to complete the action.
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
+- **SihclientVersion** The SIH version.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID** A unique identifier for the action being acted upon.
+- **WuapiVersion** The Windows Update API version.
+- **WuaucltVersion** The Windows Update version identifier for SIH.
+- **WuauengVersion** The Windows Update engine version identifier.
+- **WUDeviceID** The unique identifier controlled by the software distribution client.
+
+
+## Software update events
+
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+This is a scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **BranchReadinessLevel** The servicing branch configured on the device.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates** Update IDs which are currently being deferred until a later time
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
+- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed** Were drivers scanned this time?
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
+- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError** The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **PausedUpdates** A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TargetReleaseVersion** The value selected for the target release version policy.
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Commit
+
+This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle
+- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
+- **ClassificationId** Classification identifier of the update content.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** The mode of operation of the update deployment provider.
+- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
+- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FlightId** The specific id of the flight the device is getting
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
+- **RevisionNumber** Identifies the revision number of this specific piece of content
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
+- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download.
+- **AppXScope** Indicates the scope of the app download.
+- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior.
+- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle.
+- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadProps** Information about the download operation properties in the form of a bitmask.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId** The specific ID of the flight (pre-release build) the device is getting.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HostName** The hostname URL the content is downloading from.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
+- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
+- **PackageFullName** The package name of the content.
+- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific content has previously failed.
+- **RevisionNumber** The revision number of the specified piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
+- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload.
+- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **UpdateId** An identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO** Whether the download used the delivery optimization service.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
+
+This event provides a checkpoint between each of the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId** A hash that uniquely identifies a file
+- **FileName** Name of the downloaded file
+- **FlightId** The unique identifier for each flight
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RevisionNumber** Unique revision number of Update
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **UpdateId** Unique Update ID
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **BytesTotal** Total bytes to transfer for this content
+- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat
+- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat
+- **CurrentError** Last (transient) error encountered by the active download
+- **DownloadFlags** Flags indicating if power state is ignored
+- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
+- **EventType** Possible values are "Child", "Bundle", or "Driver"
+- **FlightId** The unique identifier for each flight
+- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
+- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
+- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
+- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
+- **ResumeCount** Number of times this active download has resumed from a suspended state
+- **RevisionNumber** Identifies the revision number of this specific piece of content
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **SuspendCount** Number of times this active download has entered a suspended state
+- **SuspendReason** Last reason for why this active download entered a suspended state
+- **UpdateId** Identifier associated with the specific piece of content
+- **WUDeviceID** Unique device id controlled by the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0.
+- **CSIErrorType** The stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** The mode of operation of the update deployment provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update).
+- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether this update is a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart.
+- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation.
+- **MsiAction** The stage of MSI installation where it failed.
+- **MsiProductCode** The unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content being installed.
+- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
+- **RevisionNumber** The revision number of this specific piece of content.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** The ID that represents a given MSI installation.
+- **UpdateId** Unique update ID.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Revert
+
+This is a revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation that failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** The mode of operation of the update deployment provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **EventType** Event type (Child, Bundle, Release, or Driver).
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of the flight.
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId** The identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.TaskRun
+
+This is a start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CmdLineArgs** Command line arguments passed in by the caller.
+- **EventInstanceID** A globally unique identifier for the event instance.
+- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.Uninstall
+
+This is an uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** The mode of operation of the Update Deployment Provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.).
+- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of the flight.
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.).
+- **WUDeviceID** The unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed.
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
+- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
+- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
+- **RevisionId** The revision ID for a specific piece of content.
+- **RevisionNumber** The revision number for a specific piece of content.
+- **ServiceGuid** Identifies the service to which the software distribution client is connected. Example: Windows Update or Microsoft Store
+- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfTimestampToken** An encoded string of the timestamp token.
+- **SignatureAlgorithm** The hash algorithm for the metadata signature.
+- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **UpdateId** The update ID for a specific piece of content.
+
+
+## Surface events
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly.
+
+The following fields are available:
+
+- **pszBatteryDataXml** Battery performance data.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device.
+- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC?
+- **BPMHvtCountA** Current HVT count for BPM counter A.
+- **BPMHvtCountB** Current HVT count for BPM counter B.
+- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count.
+- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMTotalEngagedMinutes** Total time that BPM was engaged.
+- **BPMTotalEntryEvents** Total number of times entering BPM.
+- **ComponentId** Component ID.
+- **FwVersion** FW version that created this log.
+- **LogClass** Log Class.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** Log MGR version.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **ProductId** Product ID.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on
+- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%)
+- **ComponentId** Component ID.
+- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC.
+- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up.
+- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially
+- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially
+- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially
+- **CTTStartDateInSeconds** Indicates the start date of when device starting being used.
+- **currentAuthenticationState** Current Authentication State.
+- **FwVersion** FW version that created this log.
+- **LogClass** LOG CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG MGR VERSION.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **newSnFruUpdateCount** New Sn FRU Update Count.
+- **newSnUpdateCount** New Sn Update Count.
+- **ProductId** Product ID.
+- **ProtectionPolicy** Battery limit engaged. True (0 False)
+- **SeqNum** Represents the sequence number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** The schema version used.
+- **VoltageOptimization** Current CTT reduction in mV
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **cbTimeCell_Values** cb time for different cells.
+- **ComponentId** Component ID.
+- **cycleCount** Cycle Count.
+- **deltaVoltage** Delta voltage.
+- **eocChargeVoltage_Values** EOC Charge voltage values.
+- **fullChargeCapacity** Full Charge Capacity.
+- **FwVersion** FW version that created this log.
+- **lastCovEvent** Last Cov event.
+- **lastCuvEvent** Last Cuv event.
+- **LogClass** LOG_CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG_MGR_VERSION.
+- **manufacturerName** Manufacturer name.
+- **maxChargeCurrent** Max charge current.
+- **maxDeltaCellVoltage** Max delta cell voltage.
+- **maxDischargeCurrent** Max discharge current.
+- **maxTempCell** Max temp cell.
+- **maxVoltage_Values** Max voltage values.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **minTempCell** Min temp cell.
+- **minVoltage_Values** Min voltage values.
+- **numberOfCovEvents** Number of Cov events.
+- **numberOfCuvEvents** Number of Cuv events.
+- **numberOfOCD1Events** Number of OCD1 events.
+- **numberOfOCD2Events** Number of OCD2 events.
+- **numberOfQmaxUpdates** Number of Qmax updates.
+- **numberOfRaUpdates** Number of Ra updates.
+- **numberOfShutdowns** Number of shutdowns.
+- **pfStatus_Values** pf status values.
+- **ProductId** Product ID.
+- **qmax_Values** Qmax values for different cells.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **avgCurrLastRun** Average current last run.
+- **avgPowLastRun** Average power last run.
+- **batteryMSPN** BatteryMSPN
+- **batteryMSSN** BatteryMSSN.
+- **cell0Ra3** Cell0Ra3.
+- **cell1Ra3** Cell1Ra3.
+- **cell2Ra3** Cell2Ra3.
+- **cell3Ra3** Cell3Ra3.
+- **ComponentId** Component ID.
+- **currentAtEoc** Current at Eoc.
+- **firstPFstatusA** First PF status-A.
+- **firstPFstatusB** First PF status-B.
+- **firstPFstatusC** First PF status-C.
+- **firstPFstatusD** First PF status-D.
+- **FwVersion** FW version that created this log.
+- **lastQmaxUpdate** Last Qmax update.
+- **lastRaDisable** Last Ra disable.
+- **lastRaUpdate** Last Ra update.
+- **lastValidChargeTerm** Last valid charge term.
+- **LogClass** LOG CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG MGR VERSION.
+- **maxAvgCurrLastRun** Max average current last run.
+- **maxAvgPowLastRun** Max average power last run.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **mfgInfoBlockB01** MFG info Block B01.
+- **mfgInfoBlockB02** MFG info Block B02.
+- **mfgInfoBlockB03** MFG info Block B03.
+- **mfgInfoBlockB04** MFG info Block B04.
+- **numOfRaDisable** Number of Ra disable.
+- **numOfValidChargeTerm** Number of valid charge term.
+- **ProductId** Product ID.
+- **qmaxCycleCount** Qmax cycle count.
+- **SeqNum** Sequence Number.
+- **stateOfHealthEnergy** State of health energy.
+- **stateOfHealthFcc** State of health Fcc.
+- **stateOfHealthPercent** State of health percent.
+- **TimeStamp** UTC seconds when log was created.
+- **totalFwRuntime** Total FW runtime.
+- **updateStatus** Update status.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Health.Binary.Prod.McuHealthLog
+
+This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly.
+
+The following fields are available:
+
+- **CUtility::GetTargetNameA(Target)** Sub component name.
+- **HealthLog** Health indicator log.
+- **healthLogSize** 4KB.
+- **productId** Identifier for product model.
+
+
+### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
+
+This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **HostResetCause** Host reset cause.
+- **PchResetCause** PCH reset cause.
+- **SamResetCause** SAM reset cause.
+
+
+## UEFI events
+
+### Microsoft.Windows.UEFI.ESRT
+
+This event sends basic data during boot about the firmware loaded or recently installed on the machine. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DriverFirmwareFilename** The firmware file name reported by the device hardware key.
+- **DriverFirmwareIntegrityFilename** Filename of the integrity package that is supplied in the firmware package.
+- **DriverFirmwarePolicy** The optional version update policy value.
+- **DriverFirmwareStatus** The firmware status reported by the device hardware key.
+- **DriverFirmwareVersion** The firmware version reported by the device hardware key.
+- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier.
+- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT).
+- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT).
+- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type.
+- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT).
+- **InitiateUpdate** Indicates whether the system is ready to initiate an update.
+- **LastAttemptDate** The date of the most recent attempted firmware installation.
+- **LastAttemptStatus** The result of the most recent attempted firmware installation.
+- **LastAttemptVersion** The version of the most recent attempted firmware installation.
+- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported.
+- **MaxRetryCount** The maximum number of retries, defined by the firmware class key.
+- **RetryCount** The number of attempted installations (retries), reported by the driver software key.
+- **Status** The status returned to the PnP (Plug-and-Play) manager.
+- **UpdateAttempted** Indicates if installation of the current update has been attempted before.
+
+
+## Update Assistant events
+
+### Microsoft.Windows.RecommendedTroubleshootingService.MitigationFailed
+
+This event is raised after an executable delivered by Mitigation Service has run and failed. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. Failure data will also be used for root-cause investigation by feature teams, as signal to halt mitigation rollout and, possible follow-up action on specific devices still impacted by the problem because the mitigation failed (i.e. reoffer it to impacted devices). The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **activeProcesses** Number of active processes.
+- **atleastOneMitigationSucceeded** Bool flag indicating if at least one mitigation succeeded.
+- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter.
+- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service.
+- **countDownloadedPayload** Count instances of payload downloaded.
+- **description** Description of failure.
+- **devicePreference** Recommended Troubleshooting Setting on the device.
+- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe.
+- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab.
+- **executionHR** HR code of the execution of the mitigation.
+- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, eg when executing Critical troubleshooters, the executionPreference is set to the Silent option.
+- **exitCode** Exit code of the execution of the mitigation.
+- **experimentFeatureId** Experiment feature ID.
+- **experimentFeatureState** Config state of the experiment.
+- **hr** HRESULT for error code.
+- **isActiveSessionPresent** If an active user session is present on the device.
+- **isCriticalMitigationAvailable** If a critical mitigation is available to this device.
+- **isFilteringSuccessful** If the filtering operation was successful.
+- **isReApply** reApply status for the mitigation.
+- **mitigationId** ID value of the mitigation.
+- **mitigationProcessCycleTime** Process cycle time used by the mitigation.
+- **mitigationRequestWithCompressionFailed** Boolean flag indicating if HTTP request with compression failed for this device.
+- **mitigationServiceResultFetched** Boolean flag indicating if mitigation details were fetched from the admin service.
+- **mitigationVersion** String indicating version of the mitigation.
+- **oneSettingsMetadataParsed** If OneSettings metadata was parsed successfully.
+- **oneSettingsSchemaVersion** Schema version used by the OneSettings parser.
+- **onlyNoOptMitigationsPresent** Checks if all mitigations were no opt.
+- **parsedOneSettingsFile** Indicates if OneSettings parsing was successful.
+- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter.
+- **SessionId** Random GUID used for grouping events in a session.
+- **subType** Error type.
+- **totalKernelTime** Total kernel time used by the mitigation.
+- **totalNumberOfApplicableMitigations** Total number of applicable mitigations.
+- **totalProcesses** Total number of processes assigned to the job object.
+- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object.
+- **totalUserTime** Total user mode time used by the job object.
+
+
+### Microsoft.Windows.RecommendedTroubleshootingService.MitigationSucceeded
+
+This event is raised after an executable delivered by Mitigation Service has successfully run. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **activeProcesses** Number of active processes.
+- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter.
+- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service.
+- **devicePreference** Recommended troubleshooting setting on the device.
+- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe.
+- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab.
+- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, for example, when executing Critical troubleshooters, the executionPreference is set to the Silent option.
+- **exitCode** Exit code of the execution of the mitigation.
+- **exitCodeDefinition** String describing the meaning of the exit code returned by the mitigation (i.e. ProblemNotFound).
+- **experimentFeatureId** Experiment feature ID.
+- **experimentFeatureState** Feature state for the experiment.
+- **mitigationId** ID value of the mitigation.
+- **mitigationProcessCycleTime** Process cycle time used by the mitigation.
+- **mitigationVersion** String indicating version of the mitigation.
+- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter.
+- **SessionId** Random GUID used for grouping events in a session.
+- **totalKernelTime** Total kernel time used by the mitigation.
+- **totalProcesses** Total number of processes assigned to the job object.
+- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object.
+- **totalUserTime** Total user mode time used by the job object.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded
+
+This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of remediation.
+- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise.
+- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
+
+This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** The package version of the label.
+
+
+
+## Update events
+
+### Update360Telemetry.DriverUpdateSummaryReport
+
+This event collects information regarding the state of devices and drivers on the system, following a reboot, after the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AnalysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during the analysis.
+- **AppendError** A Boolean indicating if there was an error appending more information to the summary string.
+- **DevicePopulateErrorCount** The number of errors that occurred during the population of the list of all devices on the system, includes information such as, hardware ID, compatible ID.
+- **ErrorCode** The error code returned.
+- **FlightId** The flight ID for the driver manifest update.
+- **ObjectId** The unique value for each diagnostics session.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Indicates the result of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** The unique value for each update session.
+- **Summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
+- **TruncatedDeviceCount** The number of devices missing from the summary string due to there not being enough room in the string.
+- **TruncatedDriverCount** The number of devices missing from the summary string due to there not being enough room in the string.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.Revert
+
+This event sends data relating to the Revert phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the Revert phase.
+- **FlightId** Unique ID for the flight (test instance version).
+- **ObjectId** The unique value for each Update Agent mode.
+- **RebootRequired** Indicates reboot is required.
+- **RevertResult** The result code returned for the Revert operation.
+- **ScenarioId** The ID of the update scenario.
+- **SessionId** The ID of the update attempt.
+- **UpdateId** The ID of the update.
+
+
+### Update360Telemetry.UpdateAgentCommit
+
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean that indicates whether cancel was requested.
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentDownloadRequest
+
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean indicating whether a cancel was requested.
+- **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload.
+- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted.
+- **DownloadComplete** Indicates if the download is complete.
+- **DownloadedSizeBundle** Cumulative size (in bytes) of the downloaded bundle content.
+- **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content.
+- **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content.
+- **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content.
+- **DownloadedSizePSFX** Cumulative size (in bytes) of downloaded PSFX content.
+- **DownloadRequests** Number of times a download was retried.
+- **ErrorCode** The error code returned for the current download request phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId** Unique ID for each flight.
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **NumberOfHops** Number of intermediate packages used to reach target version.
+- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable.
+- **PackageCountOptional** Number of optional packages requested.
+- **PackageCountRequired** Number of required packages requested.
+- **PackageCountTotal** Total number of packages needed.
+- **PackageCountTotalBundle** Total number of bundle packages.
+- **PackageCountTotalCanonical** Total number of canonical packages.
+- **PackageCountTotalDiff** Total number of diff packages.
+- **PackageCountTotalExpress** Total number of express packages.
+- **PackageCountTotalPSFX** The total number of PSFX packages.
+- **PackageExpressType** Type of express package.
+- **PackageSizeCanonical** Size of canonical packages in bytes.
+- **PackageSizeDiff** Size of diff packages in bytes.
+- **PackageSizeExpress** Size of express packages in bytes.
+- **PackageSizePSFX** The size of PSFX packages, in bytes.
+- **RangeRequestState** Indicates the range request type used.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the download request phase of update.
+- **SandboxTaggedForReserves** The sandbox for reserves.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentExpand
+
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean that indicates whether a cancel was requested.
+- **CanonicalRequestedOnError** Indicates if an error caused a reversion to a different type of compressed update (TRUE or FALSE).
+- **ElapsedTickCount** Time taken for expand phase.
+- **EndFreeSpace** Free space after expand phase.
+- **EndSandboxSize** Sandbox size after expand phase.
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **StartFreeSpace** Free space before expand phase.
+- **StartSandboxSize** Sandbox size after expand phase.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **FlightMetadata** Contains the FlightId and the build being flighted.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean to indicate whether a cancel was requested.
+- **ErrorCode** The error code returned for the current install phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **ObjectId** Correlation vector value generated from the latest USO scan.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** The result for the current install phase.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMitigationResult
+
+This event sends data indicating the result of each update agent mitigation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** Indicates whether the mitigation is applicable for the current update.
+- **CommandCount** The number of command operations in the mitigation entry.
+- **CustomCount** The number of custom operations in the mitigation entry.
+- **FileCount** The number of file operations in the mitigation entry.
+- **FlightId** Unique identifier for each flight.
+- **Index** The mitigation index of this particular mitigation.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **Name** The friendly name of the mitigation.
+- **ObjectId** Unique value for each Update Agent mode.
+- **OperationIndex** The mitigation operation index (in the event of a failure).
+- **OperationName** The friendly name of the mitigation operation (in the event of failure).
+- **RegistryCount** The number of registry operations in the mitigation entry.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** The HResult of this operation.
+- **ScenarioId** The update agent scenario ID.
+- **SessionId** Unique value for each update attempt.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **UpdateId** Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentMitigationSummary
+
+This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** The count of mitigations that were applicable to the system and scenario.
+- **Failed** The count of mitigations that failed.
+- **FlightId** Unique identifier for each flight.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **ObjectId** The unique value for each Update Agent mode.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** The HResult of this operation.
+- **ScenarioId** The update agent scenario ID.
+- **SessionId** Unique value for each update attempt.
+- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments).
+- **Total** Total number of mitigations that were available.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FlightId** Unique ID for each flight.
+- **Mode** Indicates the mode that has started.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+- **Version** Version of update
+
+
+### Update360Telemetry.UpdateAgentOneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Count** The count of applicable OneSettings for the device.
+- **FlightId** Unique ID for the flight (test instance version).
+- **ObjectId** The unique value for each Update Agent mode.
+- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result** The HResult of the event.
+- **ScenarioId** The ID of the update scenario.
+- **SessionId** The ID of the update attempt.
+- **UpdateId** The ID of the update.
+- **Values** The values sent back to the device, if applicable.
+
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current post reboot phase.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PostRebootResult** Indicates the Hresult.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **RollbackFailureReason** Indicates the cause of the rollback.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+- **UpdateOutputState** A numeric value indicating the state of the update at the time of reboot.
+
+
+### Update360Telemetry.UpdateAgentReboot
+
+This event sends information indicating that a request has been sent to suspend an update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current reboot.
+- **FlightId** Unique ID for the flight (test instance version).
+- **IsSuspendable** Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE.
+- **ObjectId** The unique value for each Update Agent mode.
+- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0.
+- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **ScenarioId** The ID of the update scenario.
+- **SessionId** The ID of the update attempt.
+- **UpdateId** The ID of the update.
+- **UpdateState** Indicates the state of the machine when Suspend is called. For example, Install, Download, Commit.
+
+
+### Update360Telemetry.UpdateAgentSetupBoxLaunch
+
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ContainsExpressPackage** Indicates whether the download package is express.
+- **FlightId** Unique ID for each flight.
+- **FreeSpace** Free space on OS partition.
+- **InstallCount** Number of install attempts using the same sandbox.
+- **ObjectId** Unique value for each Update Agent mode.
+- **Quiet** Indicates whether setup is running in quiet mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **SandboxSize** Size of the sandbox.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **SetupLaunchAttemptCount** Indicates the count of attempts to launch setup for the current Update Agent instance.
+- **SetupMode** Mode of setup to be launched.
+- **UpdateId** Unique ID for each Update.
+- **UserSession** Indicates whether install was invoked by user actions.
+
+
+## Upgrade events
+
+### FacilitatorTelemetry.DCATDownload
+
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **DownloadSize** Download size of payload.
+- **ElapsedTime** Time taken to download payload.
+- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade.
+- **ResultCode** Result returned by the Facilitator DCAT call.
+- **Scenario** Dynamic update scenario (Image DU, or Setup DU).
+- **Type** Type of package that was downloaded.
+- **UpdateId** The ID of the update that was downloaded.
+
+
+### FacilitatorTelemetry.DUDownload
+
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **PackageCategoriesFailed** Lists the categories of packages that failed to download.
+- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped.
+
+
+### FacilitatorTelemetry.InitializeDU
+
+This event determines whether devices received additional or critical supplemental content during an OS upgrade. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DownloadRequestAttributes** The attributes we send to DCAT.
+- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **Url** The Delivery Catalog (DCAT) URL we send the request to.
+- **Version** Version of Facilitator.
+
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the downlevel OS.
+- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** An ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.OsUninstall
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, Windows 10, and Windows 11. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.PostRebootInstall
+
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
+
+
+### Setup360Telemetry.PreDownloadQuiet
+
+This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreDownloadUX
+
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10, Windows 11 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous operating system.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.PreInstallQuiet
+
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, Windows 10, and Windows 11, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.Setup360
+
+This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FieldName** Retrieves the data point.
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
+- **ReportId** Retrieves the report ID.
+- **ScenarioId** Retrieves the deployment scenario.
+- **Value** Retrieves the value associated with the corresponding FieldName.
+
+
+### Setup360Telemetry.Setup360DynamicUpdate
+
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
+- **Operation** Facilitator's last known operation (scan, download, etc.).
+- **ReportId** ID for tying together events stream side.
+- **ResultCode** Result returned for the entire setup operation.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **ScenarioId** Identifies the update scenario.
+- **TargetBranch** Branch of the target OS.
+- **TargetBuild** Build of the target OS.
+
+
+### Setup360Telemetry.Setup360MitigationResult
+
+This event sends data indicating the result of each setup mitigation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** TRUE if the mitigation is applicable for the current update.
+- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **CommandCount** The number of command operations in the mitigation entry.
+- **CustomCount** The number of custom operations in the mitigation entry.
+- **FileCount** The number of file operations in the mitigation entry.
+- **FlightData** The unique identifier for each flight (test release).
+- **Index** The mitigation index of this particular mitigation.
+- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **Name** The friendly (descriptive) name of the mitigation.
+- **OperationIndex** The mitigation operation index (in the event of a failure).
+- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure).
+- **RegistryCount** The number of registry operations in the mitigation entry.
+- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result** HResult of this operation.
+- **ScenarioId** Setup360 flow type.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+
+
+### Setup360Telemetry.Setup360MitigationSummary
+
+This event sends a summary of all the setup mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** The count of mitigations that were applicable to the system and scenario.
+- **ClientId** The Windows Update client ID passed to Setup.
+- **Failed** The count of mitigations that failed.
+- **FlightData** The unique identifier for each flight (test release).
+- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result** HResult of this operation.
+- **ScenarioId** Setup360 flow type.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **Total** The total number of mitigations that were available.
+
+
+### Setup360Telemetry.Setup360OneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** The Windows Update client ID passed to Setup.
+- **Count** The count of applicable OneSettings for the device.
+- **FlightData** The ID for the flight (test instance version).
+- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
+- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **ReportId** The Update ID passed to Setup.
+- **Result** The HResult of the event error.
+- **ScenarioId** The update scenario ID.
+- **Values** Values sent back to the device, if applicable.
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+## Windows as a Service diagnostic events
+
+### Microsoft.Windows.WaaSMedic.StackDataResetPerformAction
+
+This event removes the datastore and allows corrupt devices to reattempt the update. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DatastoreSizeInMB** Size of Datastore.edb file. Default: -1 if not set/unknown.
+- **FreeSpaceInGB** Free space on the device before deleting the datastore. Default: -1 if not set/unknown.
+- **HrLastFailure** Error code from the failed removal.
+- **HrResetDatastore** Result of the attempted removal.
+- **HrStopGroupOfServices** Result of stopping the services.
+- **MaskServicesStopped** Bit field to indicate which services were stopped succesfully. Bit on means success. List of services: usosvc(1<<0), dosvc(1<<1), wuauserv(1<<2), bits(1<<3).
+- **NumberServicesToStop** The number of services that require manual stopping.
+
+
+### Microsoft.Windows.WaaSMedic.SummaryEvent
+
+This event provides the result of the WaaSMedic operation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **callerApplication** The name of the calling application.
+- **capsuleCount** The number of Sediment Pack capsules.
+- **capsuleFailureCount** The number of capsule failures.
+- **detectionSummary** Result of each applicable detection that was run.
+- **featureAssessmentImpact** WaaS Assessment impact for feature updates.
+- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic.
+- **hrEngineResult** Error code from the engine operation.
+- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox.
+- **initSummary** Summary data of the initialization method.
+- **isInteractiveMode** The user started a run of WaaSMedic.
+- **isManaged** Device is managed for updates.
+- **isWUConnected** Device is connected to Windows Update.
+- **noMoreActions** No more applicable diagnostics.
+- **pluginFailureCount** The number of plugins that have failed.
+- **pluginsCount** The number of plugins.
+- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment** Relying on backup feature assessment.
+- **usingBackupQualityAssessment** Relying on backup quality assessment.
+- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run.
+- **versionString** Version of the WaaSMedic engine.
+- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
+
+
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **BootId** Uint32 identifying the boot number for this device.
+- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
+- **BugCheckParameter1** Uint64 parameter providing additional information.
+- **BugCheckParameter2** Uint64 parameter providing additional information.
+- **BugCheckParameter3** Uint64 parameter providing additional information.
+- **BugCheckParameter4** Uint64 parameter providing additional information.
+- **DumpFileAttributes** Codes that identify the type of data contained in the dump file
+- **DumpFileSize** Size of the dump file
+- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
+- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
+## Windows Hardware Error Architecture events
+
+### WheaProvider.WheaDriverErrorExternal
+
+This event is sent when a common platform hardware error is recorded by an external WHEA error source driver. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **creatorId** A GUID that identifies the entity that created the error record.
+- **errorFlags** Flags set on the error record.
+- **notifyType** A GUID that identifies the notification mechanism by which an error condition is reported to the operating system.
+- **partitionId** A GUID that identifies the partition on which the hardware error occurred.
+- **platformId** A GUID that identifies the platform on which the hardware error occurred.
+- **record** A binary blob containing the full error record. Due to the nature of common platform error records we have no way of fully parsing this blob for any given record.
+- **recordId** The identifier of the error record. This identifier is unique only on the system that created the error record.
+- **sectionFlags** The flags for each section recorded in the error record.
+- **sectionTypes** A GUID that represents the type of sections contained in the error record.
+- **severityCount** The severity of each individual section.
+- **timeStamp** Error time stamp as recorded in the error record.
+
+
+### WheaProvider.WheaDriverExternalLogginLimitReached
+
+This event indicates that WHEA has reached the logging limit for critical events from external drivers. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **timeStamp** Time at which the logging limit was reached.
+
+
+### WheaProvider.WheaErrorRecord
+
+This event collects data about common platform hardware error recorded by the Windows Hardware Error Architecture (WHEA) mechanism. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **creatorId** The unique identifier for the entity that created the error record.
+- **errorFlags** Any flags set on the error record.
+- **notifyType** The unique identifier for the notification mechanism which reported the error to the operating system.
+- **partitionId** The unique identifier for the partition on which the hardware error occurred.
+- **platformId** The unique identifier for the platform on which the hardware error occurred.
+- **record** A collection of binary data containing the full error record.
+- **recordId** The identifier of the error record.
+- **sectionFlags** The flags for each section recorded in the error record.
+- **sectionTypes** The unique identifier that represents the type of sections contained in the error record.
+- **severityCount** The severity of each individual section.
+- **timeStamp** The error time stamp as recorded in the error record.
+
+
+## Windows Update CSP events
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
+
+This event sends basic telemetry on the failure of the Feature Rollback. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **hResult** Failure error code.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** This is the device info.
+- **wUfBConnected** Result of WUfB connection check.
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
+
+This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** Represents the device info.
+- **wUfBConnected** Result of WUfB connection check.
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
+
+This event sends basic information indicating that Feature Rollback has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed
+
+This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **hResult** Failure Error code.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** Release Channel.
+- **wUfBConnected** Result of Windows Update for Business connection check.
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable
+
+This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** Device in the semi-annual channel.
+- **wUfBConnected** Result of WUfB connection check.
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
+
+This event indicates that the Quality Rollback process has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download being done in the background?
+- **bytesFromCacheServer** Bytes received from a cache host.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromLedbat** The number of bytes received from a source using an Ledbat enabled connection.
+- **bytesFromLinkLocalPeers** The number of bytes received from local peers.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp** The IP Address of the source CDN (Content Delivery Network).
+- **cdnUrl** The URL of the source CDN (Content Delivery Network).
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **predefinedCallerName** The name of the API Caller.
+- **reasonCode** Reason the action or event occurred.
+- **routeToCacheServer** The cache server setting, source, and value.
+- **sessionID** The ID of the file download session.
+- **sessionTimeMs** The duration of the download session, spanning multiple jobs, in milliseconds.
+- **totalTimeMs** The duration of the download, in milliseconds.
+- **updateID** The ID of the update being downloaded.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **bytesFromCacheServer** Bytes received from a cache host.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromLedbat** The number of bytes received from source using an Ledbat enabled connection.
+- **bytesFromLinkLocalPeers** The number of bytes received from local peers.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **bytesRequested** The total number of bytes requested for download.
+- **cacheServerConnectionCount** Number of connections made to cache hosts.
+- **cdnConnectionCount** The total number of connections made to the CDN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp** The IP address of the source CDN.
+- **cdnUrl** Url of the source Content Distribution Network (CDN).
+- **congestionPrevention** Indicates a download may have been suspended to prevent network congestion.
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
+- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps** The download speed (in bytes per second).
+- **downloadMode** The download mode used for this file download session.
+- **downloadModeReason** Reason for the download.
+- **downloadModeSrc** Source of the DownloadMode setting.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **expiresAt** The time when the content will expire from the Delivery Optimization Cache.
+- **fileID** The ID of the file being downloaded.
+- **fileSize** The size of the file being downloaded.
+- **groupConnectionCount** The total number of connections made to peers in the same group.
+- **groupID** A GUID representing a custom group of devices.
+- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
+- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download.
+- **isThrottled** Event Rate throttled (event represents aggregated data).
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network.
+- **numPeers** The total number of peers used for this download.
+- **numPeersLocal** The total number of local peers used for this download.
+- **predefinedCallerName** The name of the API Caller.
+- **restrictedUpload** Is the upload restricted?
+- **routeToCacheServer** The cache server setting, source, and value.
+- **sessionID** The ID of the download session.
+- **sessionTimeMs** The duration of the session, in milliseconds.
+- **totalTimeMs** Duration of the download (in seconds).
+- **updateID** The ID of the update being downloaded.
+- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps** The upload speed (in bytes per second).
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
+
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **cdnUrl** The URL of the source CDN (Content Delivery Network).
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being paused.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **predefinedCallerName** The name of the API Caller object.
+- **reasonCode** The reason for pausing the download.
+- **routeToCacheServer** The cache server setting, source, and value.
+- **sessionID** The ID of the download session.
+- **sessionTimeMs** The duration of the download session, spanning multiple jobs, in milliseconds.
+- **totalTimeMs** The duration of the download, in milliseconds.
+- **updateID** The ID of the update being paused.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Indicates whether the download is happening in the background.
+- **bytesRequested** Number of bytes requested for the download.
+- **cdnUrl** The URL of the source Content Distribution Network (CDN).
+- **costFlags** A set of flags representing network cost.
+- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll** Random number used for determining if a client will use peering.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **downloadModeReason** Reason for the download.
+- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **errorCode** The error code that was returned.
+- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID** The ID of the file being downloaded.
+- **filePath** The path to where the downloaded file will be written.
+- **fileSize** Total file size of the file that was downloaded.
+- **fileSizeCaller** Value for total file size provided by our caller.
+- **groupID** ID for the group.
+- **isEncrypted** Indicates whether the download is encrypted.
+- **isThrottled** Indicates the Event Rate was throttled (event represent aggregated data).
+- **isVpn** Indicates whether the device is connected to a Virtual Private Network.
+- **jobID** The ID of the Windows Update job.
+- **peerID** The ID for this delivery optimization client.
+- **predefinedCallerName** Name of the API caller.
+- **routeToCacheServer** Cache server setting, source, and value.
+- **sessionID** The ID for the file download session.
+- **setConfigs** A JSON representation of the configurations that have been set, and their sources.
+- **updateID** The ID of the update being downloaded.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **cdnIp** The IP address of the CDN.
+- **cdnUrl** The URL of the CDN.
+- **errorCode** The error code that was returned.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **httpStatusCode** The HTTP status code returned by the CDN.
+- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
+- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
+- **requestOffset** The byte offset within the file in the sent request.
+- **requestSize** The size of the range requested from the CDN.
+- **responseSize** The size of the range response received from the CDN.
+- **sessionID** The ID of the download session.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
+
+This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CorrelationVectors** The correlation vectors associated with migration.
+- **MigrationDurationInMilliseconds** How long the DMF migration took (in milliseconds)
+- **MigrationEndTime** A system timestamp of when the DMF migration completed.
+- **WuClientId** The GUID of the Windows Update client responsible for triggering the DMF migration
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
+
+This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CorrelationVectors** CVs associated with each phase.
+- **MigrationMicrosoftPhases** The number of Microsoft-authored migrators scheduled to be ran by DMF for this upgrade
+- **MigrationOEMPhases** The number of OEM-authored migrators scheduled to be ran by DMF for this upgrade
+- **MigrationStartTime** The timestamp representing the beginning of the DMF migration
+- **WuClientId** The GUID of the Windows Update client invoking DMF
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
+
+This event sends DMF migrator data to help keep Windows up to date.
+
+The following fields are available:
+
+- **CurrentStep** This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
+- **ErrorCode** The result (as an HRESULT) of the migrator that just completed.
+- **MigratorId** A GUID identifying the migrator that just completed.
+- **MigratorName** The name of the migrator that just completed.
+- **RunDurationInSeconds** The time it took for the migrator to complete.
+- **TotalSteps** Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
+
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **activated** Whether the entire device manifest update is considered activated and in use.
+- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis.
+- **flightId** Unique ID for each flight.
+- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system.
+- **missingUpdateCount** The number of updates in the device manifest that are missing from the system.
+- **objectId** Unique value for each diagnostics session.
+- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
+- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
+- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string.
+- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
+- **updateId** The unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** Unique value for each Update Agent mode.
+- **packageCountOptional** Number of optional packages requested.
+- **packageCountRequired** Number of required packages requested.
+- **packageCountTotal** Total number of packages needed.
+- **packageCountTotalCanonical** Total number of canonical packages.
+- **packageCountTotalDiff** Total number of diff packages.
+- **packageCountTotalExpress** Total number of express packages.
+- **packageSizeCanonical** Size of canonical packages in bytes.
+- **packageSizeDiff** Size of diff packages in bytes.
+- **packageSizeExpress** Size of express packages in bytes.
+- **rangeRequestState** Represents the state of the download range request.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the download request phase of update.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **flightMetadata** Contains the FlightId and the build being flighted.
+- **objectId** Unique value for each Update Agent mode.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current install phase.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique identifier for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Outcome of the install phase of the update.
+- **scenarioId** The unique identifier for the update scenario.
+- **sessionId** The unique identifier for each update session.
+- **updateId** The unique identifier for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **flightId** The unique identifier for each flight.
+- **mode** The mode that is starting.
+- **objectId** The unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique identifier for each update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Client.BizCriticalStoreAppInstallResult
+
+This event returns the result after installing a business critical store application. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AppInstallState** The application installation state.
+- **HRESULT** The result code (HResult) of the install.
+- **PFN** The package family name of the package being installed.
+
+
+### Microsoft.Windows.Update.Orchestrator.Client.EdgeUpdateResult
+
+The event returns data on the result of invoking the edge updater. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ExitCode** The exit code that was returned.
+- **HRESULT** The result code (HResult) of the operation.
+- **VelocityEnabled** A flag that indicates if velocity is enabled.
+- **WorkCompleted** A flag that indicates if work is completed.
+
+
+### Microsoft.Windows.Update.Orchestrator.Client.MACUpdateInstallResult
+
+This event reports the installation result details of the MACUpdate expedited application. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Completed** Indicates whether the installation is complete.
+- **InstallFailureReason** Indicates the reason an install failed.
+- **IsRetriableError** Indications whether the error is retriable.
+- **OperationStatus** Returns the operation status result reported by the installation attempt.
+- **Succeeded** Indicates whether the installation succeeded.
+- **VelocityEnabled** Indicates whether the velocity tag for MACUpdate is enabled.
+
+
+### Microsoft.Windows.Update.Orchestrator.UX.InitiatingReboot
+
+This event indicates that a restart was initiated in to enable the update process. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **correlationVector.c_str()** Represents the correlation vector.
+- **isInteractive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action or not.
+- **isOnAC** Indicates whether the device was on AC power when the restart was initiated.
+- **isRebootOutsideOfActiveHours** is reboot outside active hours.
+- **isRebootScheduledByUser** is reboot scheduled by user.
+- **reduceDisruptionFlagSet** Indicates whether the disruptless overnight reboot behavior is enabled.
+- **updateIdList** list of Update ID.
+- **wokeToRestart** whether the device woke to perform the restart.
+
+
+### Microsoft.Windows.Update.Orchestrator.UX.RebootFailed
+
+This event indicates that the reboot failed and the update process failed to determine next steps. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel** Battery level percentage.
+- **correlationVector.c_str()** correlation vector.
+- **error** error for reboot failed.
+- **isRebootOutsideOfActiveHours** Indicates the timing that the failed reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateIdList** List of update ids.
+
+
+### Microsoft.Windows.Update.Orchestrator.Worker.OobeUpdateApproved
+
+This event signifies an update being approved around the OOBE time period. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **approved** Flag to determine if it is approved or not.
+- **provider** The provider related to which the update is approved.
+- **publisherIntent** The publisher intent of the Update.
+- **update** Additional information about the Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Worker.UpdateActionCritical
+
+This event informs the update related action being performed around the OOBE timeframe. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **action** The type of action being performed (Install or download etc.).
+- **connectivity** Informs if the device is connected to network while this action is performed.
+- **freeDiskSpaceInMB** Amount of free disk space.
+- **interactive** Informs if this action is caused due to user interaction.
+- **priority** The CPU and IO priority this action is being performed on.
+- **provider** The provider that is being invoked to perform this action (WU, Legacy UO Provider etc.).
+- **update** Update related metadata including UpdateId.
+- **uptimeMinutes** Duration USO for up for in the current boot session.
+- **wilActivity** Wil Activity related information.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesCanceled
+
+This event checks for updates canceled on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6).
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is WU-For-Business target version is enabled on the device.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked.
+- **NumberOfLoop** Number of roundtrips the scan required.
+- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan.
+- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan.
+- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ScanDurationInSeconds** Number of seconds the scan took to complete.
+- **ScanEnqueueTime** Number of seconds it took to initialize the scan.
+- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync).
+- **TotalNumMetadataSignatures** The detected version of the self healing engine that is currently downloading or downloaded.
+- **WUDeviceID** The detected version of the self healing engine that is currently downloading or downloaded.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesFailed
+
+This event checks for failed updates on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **CapabilityDetectoidGuid** GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DriverError** The error code hit during a driver scan, or 0 if no error was hit.
+- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ExtendedMetadataCabUrl** URL for the extended metadata cab.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FailedUpdateGuids** GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount** Number of updates that failed to be evaluated during the scan.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6).
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is WU-For-Business target version is enabled on the device.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **MSIError** The last error encountered during a scan for updates.
+- **NetworkConnectivityDetected** 0 when IPv4 is detected, 1 when IPv6 is detected.
+- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked.
+- **NumberOfLoop** Number of roundtrips the scan required.
+- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan.
+- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan.
+- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ScanDurationInSeconds** Number of seconds the scan took to complete.
+- **ScanEnqueueTime** Number of seconds it took to initialize the scan.
+- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult.).
+- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync).
+- **TotalNumMetadataSignatures** The detected version of the self healing engine that is currently downloading or downloaded.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesRetry
+
+This event checks for update retries on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DriverSyncPassPerformed** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ExtendedStatusCode** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **FeatureUpdatePause** Failed Parse actions.
+- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6).
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked.
+- **NumberOfLoop** Number of roundtrips the scan required.
+- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan.
+- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan.
+- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ScanDurationInSeconds** Number of seconds the scan took to complete.
+- **ScanEnqueueTime** Number of seconds it took to initialize the scan.
+- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync).
+- **TotalNumMetadataSignatures** Total number of metadata signatures checks done for new metadata synced down.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesScanInitFailed
+
+This event checks for failed update initializations on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesServiceRegistrationFailed
+
+This event checks for updates for failed service registrations the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **Context** Context of failure.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesStarted
+
+This event checks for updates started on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled** Flag indicated is WU-for-Business FederatedScan is disabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.CheckForUpdatesSucceeded
+
+This event checks for successful updates on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **BranchReadinessLevel** Servicing branch train configured on the device (CB, CBB, none).
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates** UpdateIds which are currently being deferred until a later time.
+- **DriverExclusionPolicy** Indicates if policy for not including drivers with WU updates is enabled.
+- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ExcludedUpdateClasses** Update classifications being excluded via policy.
+- **ExcludedUpdates** UpdateIds which are currently being excluded via policy.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdateDeferral** Deferral period configured for feature OS updates on the device, in days.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod** Pause duration configured for feature OS updates on the device, in days.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6).
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete.
+- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked.
+- **NumberOfLoop** Number of roundtrips the scan required.
+- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan.
+- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan.
+- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **PausedUpdates** UpdateIds which are currently being paused.
+- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, datetime for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, datetime for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, datetime for the end of the pause time window.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, datetime for the beginning of the pause time window.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdateDeferral** Deferral period configured for quality OS updates on the device, in days.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** Pause duration configured for quality OS updates on the device, in days.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ScanDurationInSeconds** Number of seconds the scan took to complete.
+- **ScanEnqueueTime** Number of seconds it took to initialize the scan.
+- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **ServiceUrl** Environment URL for which a device is configured to scan.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync).
+- **TargetReleaseVersion** For drivers targeted to a specific device model, this is the version release of the drivers being distributed to the device.
+- **TotalNumMetadataSignatures** Total number of metadata signatures checks done for new metadata synced down.
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete the operation.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.CommitFailed
+
+This event checks for failed commits on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **ExtendedStatusCode** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content.
+
+
+### Microsoft.Windows.Update.WUClient.CommitStarted
+
+This event tracks the commit started event on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content.
+
+
+### Microsoft.Windows.Update.WUClient.CommitSucceeded
+
+This event is used to track the commit succeeded process, after the update installation, when the software update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **EventType** Indicates the purpose of the event - whether scan started, succeeded, failed, etc.
+- **ExtendedStatusCode** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **HandlerType** The specific id of the flight the device is getting.
+- **RevisionNumber** Indicates the kind of content (app, driver, windows patch, etc.).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadCanceled
+
+This event tracks the download canceled event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ActiveDownloadTime** Identifies the active total transferring time in seconds.
+- **AppXBlockHashFailures** Number of block hash failures.
+- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - Only the content required to launch the app is being downloaded "AutomaticContentOnly" - Only the optional [automatic] content for the app, i.e. the ones that can downloaded after the app has been launched, is being downloaded "AllContent" - All content for the app, including the optional [automatic] content, is being downloaded.
+- **BundleBytesDownloaded** Number of bytes downloaded for bundle.
+- **BundleId** Name of application making the Windows Update request. Used to identify context of request.
+- **BundleRepeatFailCount** Identifies the number of repeated download failures.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **BytesDownloaded** Identifies the number of bytes downloaded.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **CancelReason** Reason why download is canceled.
+- **CbsMethod** Identifies the CBS SelfContained method.
+- **CDNCountryCode** CDN country identifier.
+- **CDNId** CDN Identifier.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **ConnectTime** Identifies the total connection time in milliseconds.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3).
+- **DownloadStartTime** Identifies the download start time.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HostName** Identifies the hostname.
+- **IPVersion** Identifies the IP Connection Type version.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **NetworkCost** Identifies the network cost.
+- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted.
+- **PackageFullName** Package name of the content.
+- **PostDnldTime** Identifies the delay after last job in seconds.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Identifies repeated download failure count.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SizeCalcTime** Identifies time taken for payload size calculation.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TotalExpectedBytes** Identifies the total expected download bytes.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedDO** Identifies if used DO.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadFailed
+
+This event tracks the download failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ActiveDownloadTime** Identifies the active total transferring time in seconds.
+- **AppXBlockHashFailures** Number of block hash failures.
+- **AppXScope** Identifies streaming app phase.
+- **BundleBytesDownloaded** Number of bytes downloaded for bundle.
+- **BundleId** Name of application making the Windows Update request. Used to identify context of request.
+- **BundleRepeatFailCount** Identifies the number of repeated download failures.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **BytesDownloaded** Identifies the number of bytes downloaded.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **CbsMethod** Identifies the CBS SelfContained method.
+- **CDNCountryCode** Identifies the source CDN country code.
+- **CDNId** CDN Identifier.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **ConnectTime** Identifies the total connection time in milliseconds.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3).
+- **DownloadStartTime** Identifies the download start time.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HostName** Identifies the hostname.
+- **IPVersion** Identifies the IP Connection Type version.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **NetworkCost** Identifies the network cost.
+- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted.
+- **PackageFullName** The package name of the content.
+- **PostDnldTime** Identifies the delay after last job in seconds.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Identifies repeated download failure count.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SizeCalcTime** Identifies time taken for payload size calculation.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TotalExpectedBytes** Identifies the total expected download bytes.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedDO** Identifies if used DO.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadQueued
+
+This event tracks the download queued event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3).
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **PackageFullName** The package name of the content.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **Reason** Regulation reason of why queued.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadStarted
+
+This event tracks the download started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3).
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **PackageFullName** The package name of the content.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadSucceeded
+
+This event tracks the successful download event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn’t actively being downloaded.
+- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload.
+- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - Only the content required to launch the app is being downloaded "AutomaticContentOnly" - Only the optional [automatic] content for the app, i.e. the ones that can downloaded after the app has been launched, is being downloaded "AllContent" - All content for the app, including the optional [automatic] content, is being downloaded.
+- **BundleBytesDownloaded** Indicates the bytes downloaded for bundle.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Identifies the number of repeated download failures.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. This value can be one of the following: 1. Express download method was used for download. 2. SelfContained download method was used for download indicating the update had no express content. 3. SelfContained download method was used indicating that the update has an express payload, but the server is not hosting it. 4. SelfContained download method was used indicating that range requests are not supported. 5. SelfContained download method was used indicating that the system does not support express download (dpx.dll is not present). 6. SelfContained download method was used indicating that self-contained download method was selected previously. 7. SelfContained download method was used indicating a fall back to self-contained if the number of requests made by DPX exceeds a certain threshold.
+- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **ConnectTime** Indicates the cumulative sum (in seconds) of how long it took to establish the connection for all updates in an update bundle.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3).
+- **DownloadStartTime** Start time in FILETIME for the download.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HostName** The hostname URL the content is downloading from.
+- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6)
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **NetworkCost** A flag indicating the cost of the network being used for downloading the update content. That could be one of the following values0x0 : Unkown0x1 : Network cost is unrestricted0x2 : Network cost is fixed0x4 : Network cost is variable0x10000 : Network cost over data limit0x20000 : Network cost congested0x40000 : Network cost roaming0x80000 : Network cost approaching data limit.
+- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be “metered”.
+- **PackageFullName** The package name of the content.
+- **PostDnldTime** Time taken, in seconds, to signal download completion after the last job has completed downloading payload.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SizeCalcTime** Time taken, in seconds, to calculate the total download size of the payload.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TotalExpectedBytes** Total count of bytes that the download is expected (total size of the download.).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedDO** Indicates whether the download used the delivery optimization service.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.DownloadSwitchingToBITS
+
+This event tracks the download switching to BITS event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Name of application making the Windows Update request. Used to identify context of request.
+- **BundleRevisionNumber** Identifies the number of repeated download failures.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DownloadPriority** Indicates the priority of the download activity.
+- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3).
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **PackageFullName** The package name of the content.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.InstallCanceled
+
+This event tracks the install canceled event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **MsiAction** Stage of MSI installation where it failed.
+- **MsiProductCode** Unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** ID which represents a given MSI installation.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.InstallFailed
+
+This event tracks the install failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **MsiAction** Stage of MSI installation where it failed.
+- **MsiProductCode** Unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** ID which represents a given MSI installation.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.InstallRebootPending
+
+This event tracks the install reboot pending event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **MsiAction** Stage of MSI installation where it failed.
+- **MsiProductCode** Unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** ID which represents a given MSI installation.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.InstallStarted
+
+The event tracks the install started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **MsiAction** Stage of MSI installation where it failed.
+- **MsiProductCode** Unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** ID which represents a given MSI installation.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.InstallSucceeded
+
+The event tracks the successful install event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **MsiAction** Stage of MSI installation where it failed.
+- **MsiProductCode** Unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** ID which represents a given MSI installation.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.RevertFailed
+
+This event tracks the revert failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.RevertStarted
+
+This event tracks the revert started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.RevertSucceeded
+
+The event tracks the successful revert event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of that flight.
+- **FlightId** The specific id of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content had previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClient.UpdateDetected
+
+This event tracks the update detected event when the software update client is trying to update the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClientExt.DataStoreHealth
+
+This event tracks the health of the data store. The data store stores updated metadata synced from the update services, service endpoint information synced from SLS services, and in-progress update data so the update client can continue to serve after reboot. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of the event, for example, whether the scan started, succeeded or failed.
+- **StatusCode** The result code of the event (success, cancellation, failure code HResult).
+
+
+### Microsoft.Windows.Update.WUClientExt.DownloadCheckpoint
+
+This is a checkpoint event between the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FileId** Unique identifier for the downloaded file.
+- **FileName** Name of the downloaded file.
+- **FlightId** The specific id of the flight the device is getting.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClientExt.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **BytesTotal** Total bytes to transfer for this content.
+- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat.
+- **CurrentError** Last (transient) error encountered by the active download.
+- **DownloadFlags** Flags indicating if power state is ignored.
+- **DownloadState** Current state of the active download for this content (queued, suspended, progressing).
+- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver".
+- **FlightId** The specific id of the flight the device is getting.
+- **IsNetworkMetered** Indicates whether Windows considered the current network to be “metered”.
+- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any.
+- **MOUpdateDownloadLimit** Mobile operator cap on size of OS update downloads, if any.
+- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, Connected Standby).
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **ResumeCount** Number of times this active download has resumed from a suspended state.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SuspendCount** Number of times this active download has entered a suspended state.
+- **SuspendReason** Last reason for which this active download has entered suspended state.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrity
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **EndpointUrl** Endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed.
+- **ListOfSHA256OfIntermediateCerData** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **MetadataIntegrityMode** Base64 string of the signature associated with the update metadata (specified by revision id).
+- **MetadataSignature** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable.
+- **RawValidityWindowInDays** Raw unparsed mode string from the SLS response. May be null if not applicable.
+- **RevisionId** Identifies the revision of this specific piece of content.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SHA256OfLeafCerData** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate.
+- **SHA256OfLeafCertPublicKey** Base64 string of hash of the leaf cert public key.
+- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob.
+- **SignatureAlgorithm** Hash algorithm for the metadata signature.
+- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **ValidityWindowInDays** Validity window in days.
+
+
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityFragmentSigning
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **EventScenario** Field indicating the sub-phase event scenario.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed.
+- **ListOfSHA256OfIntermediateCerData** List of Base64 string of hash of intermediate cert data.
+- **MetadataIntegrityMode** Base64 string of the signature associated with the update metadata (specified by revision id).
+- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable.
+- **RawValidityWindowInDays** Raw unparsed string of validity window in effect when verifying the timestamp.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SHA256OfLeafCerData** Base64 string of hash of the leaf cert data.
+- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+
+
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegritySignature
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **EventScenario** Field indicating the sub-phase event scenario.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
+- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id).
+- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable.
+- **RevisionId** Identifies the revision of this specific piece of content.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SHA256OfLeafCertPublicKey** Base64 string of hash of the leaf cert public key.
+- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob.
+- **SignatureAlgorithm** Hash algorithm for the metadata signature.
+- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is malformed and decoding failed.
+- **UpdateId** Identifier associated with the specific piece of content.
+
+
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityTimestamp
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
+- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob.
+- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed.
+- **ValidityWindowInDays** Validity window in effect when verifying the timestamp.
+
+
+### Microsoft.Windows.Update.WUClientExt.UUSLoadModuleFailed
+
+This is the UUSLoadModule failed event and is used to track the failure of loading an undocked component. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **LoadProps** A bitmask for flags associated with loading the undocked module.
+- **ModulePath** Path of the undocked module.
+- **ModuleVersion** Version of the undocked module.
+- **PinkyFlags** PinkyFlags used to create the UUS session.
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
+- **StatusCode** Result of the undocked module loading operation.
+- **UusSessionID** Unique ID used to create the UUS session.
+- **UusVersion** Active UUS version.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
+- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
+- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
+- **InteractionCampaignID** The ID of the interaction campaign that was processed.
+- **ResultId** The result of the evaluation/presentation.
+- **WasCompleted** True if the interaction campaign is complete.
+- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CommandLine** The command line used to launch RUXIMICS.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
+
+This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
+- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
+- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
+- **ResultId** The result generated by the evaluation and presentation.
+- **WasCompleted** True if the user interaction campaign is complete.
+- **WasPresented** True if the user interaction campaign is displayed to the user.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
+
+This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch
+
+This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CommandLine** The command line used to launch RUXIMIH.
+- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process.
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **callContext** The function where the failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
+
+## Windows Update mitigation events
+
+### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ActivityError
+
+This event provides information for error encountered when enabling In-Place Upgrade. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **wilActivity** Result of the attempt to enable In-Place Upgrade. See [wilActivity](#wilactivity).
+
+
+### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshooting
+
+This event provides information for the operation of enabling In-Place Upgrade. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **wilActivity** Result of the attempt to enable In-Place Upgrade. See [wilActivity](#wilactivity).
+
+
+### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete
+
+This event provides summary information after attempting to enable In-Place Upgrade. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **applicable** The operations that were needed to be attempted.
+- **failed** Result of the individual operations that were attempted.
+- **hr** Result of the overall operation to evaluate and enable In-Place Upgrade.
+
+
+### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
+
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** The client ID used by Windows Update.
+- **FlightId** The ID of each Windows Insider build the device received.
+- **InstanceId** A unique device ID that identifies each update instance.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **MountedImageCount** The number of mounted images.
+- **MountedImageMatches** The number of mounted image matches.
+- **MountedImagesFailed** The number of mounted images that could not be removed.
+- **MountedImagesRemoved** The number of mounted images that were successfully removed.
+- **MountedImagesSkipped** The number of mounted images that were not found.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each Windows Update.
+- **WuId** Unique ID for the Windows Update client.
+
+
+### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
+
+This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId** Unique identifier for each flight.
+- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ReparsePointsFailed** Number of reparse points that are corrupted but we failed to fix them.
+- **ReparsePointsFixed** Number of reparse points that were corrupted and were fixed by this mitigation.
+- **ReparsePointsSkipped** Number of reparse points that are not corrupted and no action is required.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each Update.
+- **WuId** Unique ID for the Windows Update client.
+
+
+### Mitigation360Telemetry.MitigationCustom.FixupWimmountSysPath
+
+This event sends data specific to the FixupWimmountSysPath mitigation used for OS Updates. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId** Unique identifier for each flight.
+- **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry.
+- **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation.
+- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **RelatedCV** Correlation vector value.
+- **Result** HResult of this operation.
+- **ScenarioId** Setup360 flow type.
+- **ScenarioSupported** Whether the updated scenario that was passed in was supported.
+- **SessionId** The UpdateAgent “SessionId” value.
+- **UpdateId** Unique identifier for the Update.
+- **WuId** Unique identifier for the Windows Update client.
+
+
+## Windows Update Reserve Manager events
+
+### Microsoft.Windows.UpdateReserveManager.BeginScenario
+
+This event is sent when the Update Reserve Manager is called to begin a scenario. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Flags** The flags that are passed to the begin scenario function.
+- **HardReserveSize** The size of the hard reserve.
+- **HardReserveUsedSpace** The used space in the hard reserve.
+- **OwningScenarioId** The scenario ID the client that called the begin scenario function.
+- **ReturnCode** The return code for the begin scenario operation.
+- **ScenarioId** The scenario ID that is internal to the reserve manager.
+- **SoftReserveSize** The size of the soft reserve.
+- **SoftReserveUsedSpace** The amount of soft reserve space that was used.
+
+
+### Microsoft.Windows.UpdateReserveManager.ClearReserve
+
+This event is sent when the Update Reserve Manager clears one of the reserves. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FinalReserveUsedSpace** The amount of used space for the reserve after it was cleared.
+- **InitialReserveUsedSpace** The amount of used space for the reserve before it was cleared.
+- **ReserveId** The ID of the reserve that needs to be cleared.
+
+
+### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content.
+- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition or removal of optional content.
+
+
+### Microsoft.Windows.UpdateReserveManager.EndScenario
+
+This event is sent when the Update Reserve Manager ends an active scenario. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ActiveScenario** The current active scenario.
+- **Flags** The flags passed to the end scenario call.
+- **HardReserveSize** The size of the hard reserve when the end scenario is called.
+- **HardReserveUsedSpace** The used space in the hard reserve when the end scenario is called.
+- **ReturnCode** The return code of this operation.
+- **ScenarioId** The ID of the internal reserve manager scenario.
+- **SoftReserveSize** The size of the soft reserve when end scenario is called.
+- **SoftReserveUsedSpace** The amount of the soft reserve used when end scenario is called.
+
+
+### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError
+
+This event is sent when the Update Reserve Manager returns an error from one of its internal functions. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FailedFile** The binary file that contained the failed function.
+- **FailedFunction** The name of the function that originated the failure.
+- **FailedLine** The line number of the failure.
+- **ReturnCode** The return code of the function.
+
+
+### Microsoft.Windows.UpdateReserveManager.InitializeReserves
+
+This event is sent when reserves are initialized on the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FallbackInitUsed** Indicates whether fallback initialization is used.
+- **FinalUserFreeSpace** The amount of user free space after initialization.
+- **Flags** The flags used in the initialization of Update Reserve Manager.
+- **FreeSpaceToLeaveInUpdateScratch** The amount of space that should be left free after using the reserves.
+- **HardReserveFinalSize** The final size of the hard reserve.
+- **HardReserveFinalUsedSpace** The used space in the hard reserve.
+- **HardReserveInitialSize** The size of the hard reserve after initialization.
+- **HardReserveInitialUsedSpace** The utilization of the hard reserve after initialization.
+- **HardReserveTargetSize** The target size that was set for the hard reserve.
+- **InitialUserFreeSpace** The user free space during initialization.
+- **PostUpgradeFreeSpace** The free space value passed into the Update Reserve Manager to determine reserve sizing post upgrade.
+- **SoftReserveFinalSize** The final size of the soft reserve.
+- **SoftReserveFinalUsedSpace** The used space in the soft reserve.
+- **SoftReserveInitialSize** The soft reserve size after initialization.
+- **SoftReserveInitialUsedSpace** The utilization of the soft reserve after initialization.
+- **SoftReserveTargetSize** The target size that was set for the soft reserve.
+- **TargetUserFreeSpace** The target user free space that was passed into the reserve manager to determine reserve sizing post upgrade.
+- **UpdateScratchFinalUsedSpace** The used space in the scratch reserve.
+- **UpdateScratchInitialUsedSpace** The utilization of the scratch reserve after initialization.
+- **UpdateScratchReserveFinalSize** The utilization of the scratch reserve after initialization.
+- **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization.
+
+
+### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager
+
+This event returns data about the Update Reserve Manager, including whether it’s been initialized. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** The ID of the caller application.
+- **Flags** The enumerated flags used to initialize the manager.
+- **Offline** Indicates whether or the reserve manager is called during offline operations.
+- **PolicyPassed** Indicates whether the machine is able to use reserves.
+- **ReturnCode** Return code of the operation.
+- **Version** The version of the Update Reserve Manager.
+
+
+### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization
+
+This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FallbackLogicUsed** Indicates whether fallback logic was used for initialization.
+- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization.
+
+
+### Microsoft.Windows.UpdateReserveManager.ReevaluatePolicy
+
+This event is sent when the Update Reserve Manager reevaluates policy to determine reserve usage. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **PolicyChanged** Indicates whether the policy has changed.
+- **PolicyFailedEnum** The reason why the policy failed.
+- **PolicyPassed** Indicates whether the policy passed.
+
+
+### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. The data collected with this event is used to help keep Windows secure and up to date.
+
+
+
+### Microsoft.Windows.UpdateReserveManager.TurnOffReserves
+
+This event is sent when the Update Reserve Manager turns off reserve functionality for certain operations. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Flags** Flags used in the turn off reserves function.
+- **HardReserveSize** The size of the hard reserve when Turn Off is called.
+- **HardReserveUsedSpace** The amount of space used by the hard reserve when Turn Off is called
+- **ScratchReserveSize** The size of the scratch reserve when Turn Off is called.
+- **ScratchReserveUsedSpace** The amount of space used by the scratch reserve when Turn Off is called.
+- **SoftReserveSize** The size of the soft reserve when Turn Off is called.
+- **SoftReserveUsedSpace** The amount of the soft reserve used when Turn Off is called.
+
+
+### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content.
+- **Disposition** The parameter for the hard reserve adjustment function.
+- **Flags** The flags passed to the hard reserve adjustment function.
+- **PendingHardReserveAdjustment** The final change to the hard reserve size.
+- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve.
\ No newline at end of file
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index fdaf967827..5c6f22d52c 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1,6 +1,6 @@
---
-description: Learn what required Windows diagnostic data is gathered.
-title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
+description: Use this article to learn more about what required Windows diagnostic data is gathered.
+title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
ms.mktglfcycl: manage
@@ -13,11 +13,11 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 04/28/2021
+ms.date:
---
-# Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields
+# Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields
> [!IMPORTANT]
@@ -26,6 +26,7 @@ ms.date: 04/28/2021
**Applies to**
+- Windows 10, version 21H2
- Windows 10, version 21H1
- Windows 10, version 20H2
- Windows 10, version 2004
@@ -39,6 +40,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@@ -49,7 +51,6 @@ You can learn more about Windows functional and diagnostic data through these ar
-
## Appraiser events
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
@@ -64,6 +65,8 @@ The following fields are available:
- **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device.
+- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device.
- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device.
@@ -77,6 +80,8 @@ The following fields are available:
- **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device.
- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device.
@@ -92,6 +97,8 @@ The following fields are available:
- **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device.
- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device.
@@ -107,6 +114,8 @@ The following fields are available:
- **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@@ -120,6 +129,8 @@ The following fields are available:
- **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@@ -133,6 +144,8 @@ The following fields are available:
- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@@ -146,6 +159,8 @@ The following fields are available:
- **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_21H1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS1** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device.
- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device.
@@ -161,6 +176,8 @@ The following fields are available:
- **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_21H1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS1** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device.
- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device.
@@ -174,6 +191,8 @@ The following fields are available:
- **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_21H1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS1** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device.
- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device.
@@ -189,6 +208,8 @@ The following fields are available:
- **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_21H1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS1** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device.
- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device.
@@ -204,6 +225,8 @@ The following fields are available:
- **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device.
@@ -217,6 +240,8 @@ The following fields are available:
- **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device.
@@ -230,6 +255,8 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device.
@@ -243,6 +270,8 @@ The following fields are available:
- **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_21H1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device.
- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device.
@@ -250,12 +279,28 @@ The following fields are available:
- **DecisionMediaCenter_RS5** The total number of objects of this type present on this device.
- **DecisionMediaCenter_TH1** The total number of objects of this type present on this device.
- **DecisionMediaCenter_TH2** The total number of objects of this type present on this device.
+- **DecisionSModeState_19H1** The total number of objects of this type present on this device.
+- **DecisionSModeState_20H1** The total number of objects of this type present on this device.
+- **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSModeState_21H1** The total number of objects of this type present on this device.
+- **DecisionSModeState_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSModeState_21H2** The total number of objects of this type present on this device.
+- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS1** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS2** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS3** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS4** The total number of objects of this type present on this device.
+- **DecisionSModeState_RS5** The total number of objects of this type present on this device.
+- **DecisionSModeState_TH1** The total number of objects of this type present on this device.
+- **DecisionSModeState_TH2** The total number of objects of this type present on this device.
- **DecisionSystemBios_19H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_20H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_21H1** The total number of objects of this type present on this device.
- **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS1** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS2** The total number of objects of this type present on this device.
- **DecisionSystemBios_RS3** The total number of objects of this type present on this device.
@@ -265,11 +310,82 @@ The following fields are available:
- **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device.
- **DecisionSystemBios_TH1** The total number of objects of this type present on this device.
- **DecisionSystemBios_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device.
- **DecisionTest_19H1** The total number of objects of this type present on this device.
- **DecisionTest_20H1** The total number of objects of this type present on this device.
- **DecisionTest_20H1Setup** The total number of objects of this type present on this device.
- **DecisionTest_21H1** The total number of objects of this type present on this device.
- **DecisionTest_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionTest_21H2** The total number of objects of this type present on this device.
+- **DecisionTest_21H2Setup** The total number of objects of this type present on this device.
- **DecisionTest_RS1** The total number of objects of this type present on this device.
- **DecisionTest_RS2** The total number of objects of this type present on this device.
- **DecisionTest_RS3** The total number of objects of this type present on this device.
@@ -277,6 +393,34 @@ The following fields are available:
- **DecisionTest_RS5** The total number of objects of this type present on this device.
- **DecisionTest_TH1** The total number of objects of this type present on this device.
- **DecisionTest_TH2** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_20H1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_21H1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_21H1Setup** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device.
- **InventoryApplicationFile** The total number of objects of this type present on this device.
- **InventoryLanguagePack** The total number of objects of this type present on this device.
- **InventoryMediaCenter** The total number of objects of this type present on this device.
@@ -300,6 +444,8 @@ The following fields are available:
- **Wmdrm_20H1Setup** The total number of objects of this type present on this device.
- **Wmdrm_21H1** The total number of objects of this type present on this device.
- **Wmdrm_21H1Setup** The total number of objects of this type present on this device.
+- **Wmdrm_21H2** The total number of objects of this type present on this device.
+- **Wmdrm_21H2Setup** The total number of objects of this type present on this device.
- **Wmdrm_RS1** The total number of objects of this type present on this device.
- **Wmdrm_RS2** The total number of objects of this type present on this device.
- **Wmdrm_RS3** The total number of objects of this type present on this device.
@@ -962,6 +1108,8 @@ The following fields are available:
- **CpuModel** Cpu model.
- **CpuStepping** Cpu stepping.
- **CpuVendor** Cpu vendor.
+- **PlatformId** CPU platform identifier.
+- **SysReqOverride** Appraiser decision about system requirements override.
### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync
@@ -1009,6 +1157,7 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
- **Blocking** Appraiser upgradeability decision based on the device's TPM support.
+- **SysReqOverride** Appraiser decision about system requirements override.
- **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device.
@@ -1830,6 +1979,7 @@ This event sends data about the mobile and cellular network used by the device (
The following fields are available:
+- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry.
- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
@@ -1841,9 +1991,12 @@ The following fields are available:
- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **ModemOptionalCapabilityBitMap0** A bit map of optional capabilities in modem, such as eSIM support.
- **NetworkAdapterGUID** The GUID of the primary network adapter.
- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SupportedDataClassBitMap0** A bit map of the supported data classes (i.g, 5g 4g...) that the modem is capable of.
+- **SupportedDataSubClassBitMap0** A bit map of data subclasses that the modem is capable of.
### Census.OS
@@ -1949,6 +2102,7 @@ The following fields are available:
- **ProcessorManufacturer** Name of the processor manufacturer.
- **ProcessorModel** Name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **ProcessorPlatformSpecificField1** Registry value HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0, @Platform Specific Field 1. Platform Specific Field 1 of the Processor. Each vendor (e.g. Intel) defines the meaning differently. On Intel this is used to differentiate processors of the same generation, (e.g. Kaby Lake, KBL-G, KBL-H, KBL-R).
- **ProcessorUpdateRevision** The microcode revision.
- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status
- **SocketCount** Count of CPU sockets.
@@ -1968,6 +2122,7 @@ The following fields are available:
- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest.
- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host.
- **IsWdagFeatureEnabled** Indicates whether Windows Defender Application Guard is enabled.
+- **NGCSecurityProperties** String representation of NGC security information.
- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
- **ShadowStack** The bit fields of SYSTEM_SHADOW_STACK_INFORMATION representing the state of the Intel CET (Control Enforcement Technology) hardware security feature.
@@ -2875,6 +3030,7 @@ The following fields are available:
- **DriverInfSectionName** Name of the DDInstall section within the driver INF file.
- **DriverPackageId** The ID of the driver package that is staged to the driver store.
- **DriverProvider** The driver manufacturer or provider.
+- **DriverShimIds** List of driver shim IDs.
- **DriverUpdated** Indicates whether the driver is replacing an old driver.
- **DriverVersion** The version of the driver file.
- **EndTime** The time the installation completed.
@@ -3346,6 +3502,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
+- **AndroidPackageId** A unique identifier for an Android app.
- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
@@ -3592,7 +3749,7 @@ The following fields are available:
- **HWID** The version of the driver loaded for the device.
- **Inf** The bus that enumerated the device.
- **InstallDate** The date of the most recent installation of the device on the machine.
-- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx)
+- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx).
- **InventoryVersion** List of hardware ids for the device.
- **LowerClassFilters** Lower filter class drivers IDs installed for the device
- **LowerFilters** Lower filter drivers IDs installed for the device
@@ -3846,6 +4003,7 @@ The following fields are available:
- **ProductVersion** The version associated with the Office add-in.
- **ProgramId** The unique program identifier of the Microsoft Office add-in.
- **Provider** Name of the provider for this add-in.
+- **Usage** Data about usage for the add-in.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
@@ -3870,6 +4028,14 @@ The following fields are available:
- **InventoryVersion** The version of the inventory binary generating the events.
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUexIndicatorStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
@@ -4037,9 +4203,10 @@ The following fields are available:
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4062,6 +4229,7 @@ The following fields are available:
- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end.
- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code.
- **Channel** An integer indicating the channel of the installation (Canary or Dev).
- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
@@ -4069,9 +4237,10 @@ The following fields are available:
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4102,9 +4271,10 @@ The following fields are available:
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See (experimentationandconfigurationservicecontrol)[/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol] for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4135,9 +4305,10 @@ The following fields are available:
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_localId** If the device is using Windows Defender Application Guard, this is the Software Quality Metrics (SQM) ID of the container.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [#experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4167,10 +4338,13 @@ The following fields are available:
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appLastLaunchTime** The time when browser was last launched.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
@@ -4187,9 +4361,11 @@ The following fields are available:
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventPackageCacheResult** Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply.
- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'.
- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
@@ -4249,9 +4425,10 @@ The following fields are available:
- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set.
- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
+- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
- **installSourceName** A string representation of the installation source.
@@ -4494,6 +4671,17 @@ The following fields are available:
- **totalRunDuration** Total running/evaluation time from last time.
- **totalRuns** Total number of running/evaluation from last time.
+## Settings events
+
+### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation
+
+This event tracks protocol launching for Setting's URIs. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **activationSource** Where activation is initiated.
+- **uriString** URI of the launching protocol.
+
## Privacy consent logging events
@@ -4549,6 +4737,29 @@ The following fields are available:
- **Status** It indicates details about the status for getting the disk device object during boot.
+### Microsoft.Windows.Setup.WinSetupBoot.Success
+
+This event sends data indicating that the device has invoked the WinSetupBoot successfully. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **Action** It indicates phase/stage of operation. As success event fires on exiting the operation, this value must be 'Exiting'.
+- **Duration(ms)** Duration of filter setup instance operation in milliseconds.
+- **Rollback** It is blank as this event triggers in success scenario only.
+
+
+### Microsoft.Windows.Setup.WinSetupBoot.Warning
+
+This event is used to indicate whether there were any warnings when we were trying to skip a reboot during feature upgrade. The data collected with this event helps keep Windows product and service up to date.
+
+The following fields are available:
+
+- **Action** Action indicates what operation was being performed by the filter driver (Ex: Waiting, Exiting).
+- **Detail** Add detail to the operation listed above (Ex: Blocked thread timed out).
+- **Rollback** Indicates whether a rollback was triggered (0 or 1).
+- **Status** Indicates the status code for the operation (Ex: 0, 258 etc.).
+
+
### SetupPlatformTel.SetupPlatformTelActivityEvent
This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
@@ -4617,12 +4828,14 @@ The following fields are available:
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
- **DeferredUpdates** Update IDs which are currently being deferred until a later time
-- **DeviceModel** The device model.
+- **DeviceModel** What is the device model.
- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
- **DriverSyncPassPerformed** Were drivers scanned this time?
- **EventInstanceID** A globally unique identifier for event instance.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExcludedUpdateClasses** Update classifications being excluded via policy.
+- **ExcludedUpdates** UpdateIds which are currently being excluded via policy.
- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
@@ -4671,6 +4884,7 @@ The following fields are available:
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TargetProductVersion** Indicates the Product version selected to move to or stay on.
- **TargetReleaseVersion** The value selected for the target release version policy.
- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
@@ -4709,37 +4923,57 @@ The following fields are available:
- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download.
+- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope** Indicates the scope of the download for application content.
- **AppXScope** Indicates the scope of the app download.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed.
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download.
- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
- **ClientVersion** The version number of the software distribution client.
- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior.
- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **DeviceModel** The model of the device.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
- **DownloadProps** Information about the download operation properties in the form of a bitmask.
+- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
- **EventInstanceID** A globally unique identifier for event instance.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
- **FlightId** The specific ID of the flight (pre-release build) the device is getting.
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
- **HostName** The hostname URL the content is downloading from.
- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
+- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
+- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
- **PackageFullName** The package name of the content.
+- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload.
- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -4747,14 +4981,24 @@ The following fields are available:
- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
- **RepeatFailCount** Indicates whether this specific content has previously failed.
+- **RepeatFailFlag** Indicates whether this specific content previously failed to download.
- **RevisionNumber** The revision number of the specified piece of content.
- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
+- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
+- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped.
- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded.
- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
- **UpdateId** An identifier associated with the specific piece of content.
- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
- **UsedDO** Whether the download used the delivery optimization service.
+- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -5022,6 +5266,7 @@ The following fields are available:
- **SignatureAlgorithm** The hash algorithm for the metadata signature.
- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
- **UpdateId** The update ID for a specific piece of content.
- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
@@ -5029,6 +5274,17 @@ The following fields are available:
## Surface events
+### Microsoft.Surface.Health.Binary.Prod.McuHealthLog
+
+This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly.
+
+The following fields are available:
+
+- **CUtility::GetTargetNameA(Target)** Sub component name.
+- **HealthLog** Health indicator log.
+- **healthLogSize** 4KB.
+- **productId** Identifier for product model.
+
### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly.
@@ -5044,18 +5300,168 @@ The following fields are available:
- **szBatteryInfo** Battery performance data.
-### Microsoft.Surface.Health.Binary.Prod.McuHealthLog
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM
-This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly.
+This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly.
The following fields are available:
-- **CUtility::GetTargetNameA(Target)** Sub component name.
-- **HealthLog** Health indicator log.
-- **healthLogSize** 4KB.
-- **productId** Identifier for product model.
+- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device.
+- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC?
+- **BPMHvtCountA** Current HVT count for BPM counter A.
+- **BPMHvtCountB** Current HVT count for BPM counter B.
+- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count.
+- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMTotalEngagedMinutes** Total time that BPM was engaged.
+- **BPMTotalEntryEvents** Total number of times entering BPM.
+- **ComponentId** Component ID.
+- **FwVersion** FW version that created this log.
+- **LogClass** Log Class.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** Log MGR version.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **ProductId** Product ID.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT
+
+This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on.
+- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%).
+- **ComponentId** Component ID.
+- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC.
+- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up.
+- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially.
+- **CTTStartDateInSeconds** Start date from when device was starting to be used.
+- **currentAuthenticationState** Current Authentication State.
+- **FwVersion** FW version that created this log.
+- **LogClass** Log Class.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** Log MGR version.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **newSnFruUpdateCount** New Sn FRU Update Count.
+- **newSnUpdateCount** New Sn Update Count.
+- **ProductId** Product ID.
+- **ProtectionPolicy** Battery limit engaged. True (0 False).
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+- **VoltageOptimization** Current CTT reduction in mV.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG
+
+This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **cbTimeCell_Values** cb time for different cells.
+- **ComponentId** Component ID.
+- **cycleCount** Cycle Count.
+- **deltaVoltage** Delta voltage.
+- **eocChargeVoltage_Values** EOC Charge voltage values.
+- **fullChargeCapacity** Full Charge Capacity.
+- **FwVersion** FW version that created this log.
+- **lastCovEvent** Last Cov event.
+- **lastCuvEvent** Last Cuv event.
+- **LogClass** LOG_CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG_MGR_VERSION.
+- **manufacturerName** Manufacturer name.
+- **maxChargeCurrent** Max charge current.
+- **maxDeltaCellVoltage** Max delta cell voltage.
+- **maxDischargeCurrent** Max discharge current.
+- **maxTempCell** Max temp cell.
+- **maxVoltage_Values** Max voltage values.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **minTempCell** Min temp cell.
+- **minVoltage_Values** Min voltage values.
+- **numberOfCovEvents** Number of Cov events.
+- **numberOfCuvEvents** Number of Cuv events.
+- **numberOfOCD1Events** Number of OCD1 events.
+- **numberOfOCD2Events** Number of OCD2 events.
+- **numberOfQmaxUpdates** Number of Qmax updates.
+- **numberOfRaUpdates** Number of Ra updates.
+- **numberOfShutdowns** Number of shutdowns.
+- **pfStatus_Values** pf status values.
+- **ProductId** Product ID.
+- **qmax_Values** Qmax values for different cells.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt
+
+This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **avgCurrLastRun** Average current last run.
+- **avgPowLastRun** Average power last run.
+- **batteryMSPN** BatteryMSPN
+- **batteryMSSN** BatteryMSSN.
+- **cell0Ra3** Cell0Ra3.
+- **cell1Ra3** Cell1Ra3.
+- **cell2Ra3** Cell2Ra3.
+- **cell3Ra3** Cell3Ra3.
+- **ComponentId** Component ID.
+- **currentAtEoc** Current at Eoc.
+- **firstPFstatusA** First PF status-A.
+- **firstPFstatusB** First PF status-B.
+- **firstPFstatusC** First PF status-C.
+- **firstPFstatusD** First PF status-D.
+- **FwVersion** FW version that created this log.
+- **lastQmaxUpdate** Last Qmax update.
+- **lastRaDisable** Last Ra disable.
+- **lastRaUpdate** Last Ra update.
+- **lastValidChargeTerm** Last valid charge term.
+- **LogClass** LOG CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG MGR VERSION.
+- **maxAvgCurrLastRun** Max average current last run.
+- **maxAvgPowLastRun** Max average power last run.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **mfgInfoBlockB01** MFG info Block B01.
+- **mfgInfoBlockB02** MFG info Block B02.
+- **mfgInfoBlockB03** MFG info Block B03.
+- **mfgInfoBlockB04** MFG info Block B04.
+- **numOfRaDisable** Number of Ra disable.
+- **numOfValidChargeTerm** Number of valid charge term.
+- **ProductId** Product ID.
+- **qmaxCycleCount** Qmax cycle count.
+- **SeqNum** Sequence Number.
+- **stateOfHealthEnergy** State of health energy.
+- **stateOfHealthFcc** State of health Fcc.
+- **stateOfHealthPercent** State of health percent.
+- **TimeStamp** UTC seconds when log was created.
+- **totalFwRuntime** Total FW runtime.
+- **updateStatus** Update status.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
+
+This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **HostResetCause** Host reset cause.
+- **PchResetCause** PCH reset cause.
+- **SamResetCause** SAM reset cause.
+
## Update Assistant events
### Microsoft.Windows.QUALauncher.Applicable
@@ -5086,6 +5492,7 @@ The following fields are available:
- **CV** Correlation vector.
- **dayspendingrebootafterfu** Number of days that have elapsed since the device reached ready to reboot for a Feature Update that is still actively pending reboot.
+- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process.
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device.
- **KBNumber** KBNumber of the update being installed.
- **PackageVersion** Current package version of quality update assistant.
@@ -5101,6 +5508,7 @@ The following fields are available:
- **activeProcesses** Number of active processes.
- **atleastOneMitigationSucceeded** Bool flag indicating if at least one mitigation succeeded.
+- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter.
- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service.
- **countDownloadedPayload** Count instances of payload downloaded.
- **description** Description of failure.
@@ -5142,6 +5550,7 @@ This event is raised when a targeted mitigation is rejected by the device based
The following fields are available:
+- **callerId** It is a GUID to identify the component that is calling into Mitigation Client APIs. It can be: Task Scheduler, Settings App, or GetHelp App.
- **description** String describing why a mitigation was rejected.
- **mitigationId** GUID identifier for a mitigation.
- **mitigationVersion** Version of the mitigation.
@@ -5156,11 +5565,14 @@ This event is raised after an executable delivered by Mitigation Service has suc
The following fields are available:
- **activeProcesses** Number of active processes.
+- **callerId** Identifier (GUID) of the caller requesting a system initiated troubleshooter.
- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service.
- **devicePreference** Recommended troubleshooting setting on the device.
- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe.
- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab.
- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, for example, when executing Critical troubleshooters, the executionPreference is set to the Silent option.
+- **exitCode** Exit code of the execution of the mitigation.
+- **exitCodeDefinition** String describing the meaning of the exit code returned by the mitigation (i.e. ProblemNotFound).
- **experimentFeatureId** Experiment feature ID.
- **experimentFeatureState** Feature state for the experiment.
- **mitigationId** ID value of the mitigation.
@@ -5189,6 +5601,21 @@ The following fields are available:
- **PackageVersion** The package version label.
+### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted
+
+This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **ExpeditePolicyId** The policy Id of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** A list of update IDs in progress.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted
This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
@@ -5487,6 +5914,7 @@ The following fields are available:
- **CV** Correlation vector.
- **GlobalEventCounter** The global event counter for counting total events for the provider.
- **PackageVersion** The version for the current package.
+- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@@ -5510,29 +5938,90 @@ The following fields are available:
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
- **PackageVersion** Current package version of remediation.
-### wilActivity
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult
-This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
+This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
-- **callContext** The function where the failure occurred.
-- **currentContextId** The ID of the current call context where the failure occurred.
-- **currentContextMessage** The message of the current call context where the failure occurred.
-- **currentContextName** The name of the current call context where the failure occurred.
-- **failureCount** The number of failures for this failure ID.
-- **failureId** The ID of the failure that occurred.
-- **failureType** The type of the failure that occurred.
-- **fileName** The file name where the failure occurred.
-- **function** The function where the failure occurred.
-- **hresult** The HResult of the overall activity.
-- **lineNumber** The line number where the failure occurred.
-- **message** The message of the failure that occurred.
-- **module** The module where the failure occurred.
-- **originatingContextId** The ID of the originating call context that resulted in the failure.
-- **originatingContextMessage** The message of the originating call context that resulted in the failure.
-- **originatingContextName** The name of the originating call context that resulted in the failure.
-- **threadId** The ID of the thread on which the activity is executing.
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
+
+
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation
+
+This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantAppFilePath** Path to Update Assistant app.
+- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device.
+- **UpdateAssistantExeName** Exe name running as Update Assistant.
+- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device.
+- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail.
+- **UpdateAssistantIsPushing** True if the update is pushing to the device.
+- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device.
+- **UpdateAssistantOsVersion** Update Assistant OS Version.
+- **UpdateAssistantPartnerId** Partner Id for Assistant application.
+- **UpdateAssistantReportPath** Path to report for Update Assistant.
+- **UpdateAssistantStartTime** Start time for UpdateAssistant.
+- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version.
+- **UpdateAssistantUiType** The type of UI whether default or OOBE.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
+- **UpdateAssistantVersionInfo** Information about Update Assistant application.
+
+
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty
+
+This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA.
+- **UpdateAssistantEULAPropertyRegion** Region used to show EULA.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
+
+
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
+
+This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA.
+- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat
+- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade.
+- **UpdateAssistantStateDownloading** True at the start Downloading.
+- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
+- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
+- **UpdateAssistantStateInstalling** True at the start of Installing.
+- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart.
+- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
+- **UpdateAssistantStateShowingUpdate** True at the start of Showing Update.
+- **UpdateAssistantStateWelcomeToNewOS** True at the start of WelcomeToNewOS.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
+
+
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails
+
+This event provides details about user action. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on.
+- **UpdateAssistantUserActionHResult** HRESULT of user action.
+- **UpdateAssistantUserActionState** State name user performed action on.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
## Update events
@@ -6264,7 +6753,7 @@ The following fields are available:
### Microsoft.Windows.WERVertical.OSCrash
-This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event.
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
The following fields are available:
@@ -6995,80 +7484,6 @@ The following fields are available:
## Windows Update events
-### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
-
-This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
-
-The following fields are available:
-
-- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
-- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
-- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
-- **InteractionCampaignID** The ID of the interaction campaign that was processed.
-- **ResultId** The result of the evaluation/presentation.
-- **WasCompleted** True if the interaction campaign is complete.
-- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
-
-
-### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
-
-This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
-
-
-
-### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch
-
-This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
-
-The following fields are available:
-
-- **CommandLine** The command line used to launch RUXIMICS.
-
-
-### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
-
-This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
-
-The following fields are available:
-
-- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
-- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
-- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
-- **ResultId** The result generated by the evaluation and presentation.
-- **WasCompleted** True if the user interaction campaign is complete.
-- **WasPresented** True if the user interaction campaign is displayed to the user.
-
-
-### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
-
-This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
-
-The following fields are available:
-
-- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed.
-
-
-### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch
-
-This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
-
-The following fields are available:
-
-- **CommandLine** The command line used to launch RUXIMIH.
-- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process.
-
-
-### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation
-
-This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly.
-
-The following fields are available:
-
-- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.)
-- **Id** GUID passed in by the caller to identify the evaluation.
-- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation.
-- **Result** Overall result generated by the evaluation.
-
### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
@@ -7625,6 +8040,21 @@ The following fields are available:
- **wuDeviceid** Unique device ID used by Windows Update.
+### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
+
+This event sends data about whether an update required a reboot to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
### Microsoft.Windows.Update.Orchestrator.UpdaterMalformedData
This event is sent when a registered updater has missing or corrupted information, to help keep Windows up to date.
@@ -7727,6 +8157,105 @@ The following fields are available:
- **wuDeviceid** Represents device ID.
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ControlId** String identifying the control (if any) that was selected by the user during presentation.
+- **hrInteractionHandler** The error (if any) reported by the RUXIM Interaction Handler while processing the interaction campaign.
+- **hrScheduler** The error (if any) encountered by RUXIM Interaction Campaign Scheduler itself while processing the interaction campaign.
+- **InteractionCampaignID** The ID of the interaction campaign that was processed.
+- **ResultId** The result of the evaluation/presentation.
+- **WasCompleted** True if the interaction campaign is complete.
+- **WasPresented** True if the Interaction Handler displayed the interaction campaign to the user.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CommandLine** The command line used to launch RUXIMICS.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent
+
+This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hrLocal** The error (if any) encountered by RUXIM Interaction Handler during evaluation and presentation.
+- **hrPresentation** The error (if any) reported by RUXIM Presentation Handler during presentation.
+- **InteractionCampaignID** GUID; the user interaction campaign processed by RUXIM Interaction Handler.
+- **ResultId** The result generated by the evaluation and presentation.
+- **WasCompleted** True if the user interaction campaign is complete.
+- **WasPresented** True if the user interaction campaign is displayed to the user.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit
+
+This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch
+
+This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CommandLine** The command line used to launch RUXIMIH.
+- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation
+
+This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.)
+- **Id** GUID passed in by the caller to identify the evaluation.
+- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation.
+- **Result** Overall result generated by the evaluation.
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **callContext** The function where the failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
+
+
## Windows Update mitigation events
### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete
@@ -7832,6 +8361,7 @@ This event is sent when the Update Reserve Manager clears one of the reserves. T
The following fields are available:
- **FinalReserveUsedSpace** The amount of used space for the reserve after it was cleared.
+- **Flags** The context of clearing the reserves.
- **InitialReserveUsedSpace** The amount of used space for the reserve before it was cleared.
- **ReserveId** The ID of the reserve that needs to be cleared.
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index b631e434ef..56331c2e27 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -1,7 +1,7 @@
- name: Privacy
href: index.yml
items:
- - name: "Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals"
+ - name: "Windows Privacy Compliance: A Guide for IT and Compliance Professionals"
href: windows-10-and-privacy-compliance.md
- name: Configure Windows diagnostic data in your organization
href: configure-windows-diagnostic-data-in-your-organization.md
@@ -15,7 +15,9 @@
href: Microsoft-DiagnosticDataViewer.md
- name: Required Windows diagnostic data events and fields
items:
- - name: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields
+ - name: Required Windows 11 diagnostic data events and fields
+ href: required-windows-11-diagnostic-events-and-fields.md
+ - name: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields
href: required-windows-diagnostic-data-events-and-fields-2004.md
- name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields
href: basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -29,18 +31,26 @@
href: basic-level-windows-diagnostic-events-and-fields-1703.md
- name: Optional Windows diagnostic data events and fields
items:
- - name: Windows 10, version 1709 and newer optional diagnostic data
+ - name: Windows 10, version 1709 and later and Windows 11 optional diagnostic data
href: windows-diagnostic-data.md
- name: Windows 10, version 1703 optional diagnostic data
href: windows-diagnostic-data-1703.md
- name: Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy
href: enhanced-diagnostic-data-windows-analytics-events-and-fields.md
- - name: Manage Windows 10 connection endpoints
+ - name: Manage Windows connected experiences
items:
- name: Manage connections from Windows operating system components to Microsoft services
href: manage-connections-from-windows-operating-system-components-to-microsoft-services.md
- name: Manage connections from Windows operating system components to Microsoft services using MDM
href: manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+ - name: Essential services and connected experiences for Windows
+ href: essential-services-and-connected-experiences.md
+ - name: Connection endpoints for Windows 11
+ href: manage-windows-11-endpoints.md
+ - name: Connection endpoints for Windows 10, version 21H2
+ href: manage-windows-21h2-endpoints.md
+ - name: Connection endpoints for Windows 10, version 21H1
+ href: manage-windows-21H1-endpoints.md
- name: Connection endpoints for Windows 10, version 20H2
href: manage-windows-20H2-endpoints.md
- name: Connection endpoints for Windows 10, version 2004
@@ -55,6 +65,10 @@
href: manage-windows-1803-endpoints.md
- name: Connection endpoints for Windows 10, version 1709
href: manage-windows-1709-endpoints.md
+ - name: Connection endpoints for non-Enterprise editions of Windows 11
+ href: windows-11-endpoints-non-enterprise-editions.md
+ - name: Connection endpoints for non-Enterprise editions of Windows 10, version 21H1
+ href: windows-endpoints-21H1-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 20H2
href: windows-endpoints-20H2-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 2004
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index cfe581ed04..0930e7356b 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -1,6 +1,6 @@
---
-title: Windows 10 & Privacy Compliance Guide
-description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows 10.
+title: Windows Privacy Compliance Guide
+description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows.
keywords: privacy, GDPR, compliance
ms.prod: w10
ms.mktglfcycl: manage
@@ -13,67 +13,65 @@ ms.author: brianlic
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 07/21/2020
+ms.date: 10/04/2021
---
-# Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals
+# Windows Privacy Compliance: A Guide for IT and Compliance Professionals
Applies to:
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Professional
-- Windows Server 2016 and newer
+- Windows 10 and 11 Enterprise
+- Windows 10 and 11 Education
+- Windows 10 and 11 Professional
+- Windows Server 2016 and later
## Overview
-At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows 10.
+At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows.
-Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article.
+Microsoft collects data through multiple interactions with users of Windows devices. This information can contain personal data that may be used to provide, secure and improve Windows, and to provide connected experiences. To help users and organizations control the collection of personal data, Windows provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article.
-This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR)
+This information allows administrators and compliance professionals to work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR).
-## 1. Windows 10 data collection transparency
+## 1. Windows data collection transparency
-Transparency is an important part of the data collection process in Windows 10. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device set up.
+Transparency is an important part of the data collection process in Windows. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device setup.
### 1.1 Device set up experience and support for layered transparency
When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
-The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
+The following table provides an overview of the Windows 10 and Windows 11 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
> [!NOTE]
-> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and newer). For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+> This table is limited to the privacy settings that are most commonly available when setting up a current version of Windows 10 or newer. For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
-| Feature/Setting | Description | Supporting Content | Privacy Statement |
+| Feature/Setting | Description | Supporting content | Privacy statement |
| --- | --- | --- | --- |
-| Diagnostic Data |
Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.
Diagnostic data is categorized into the following:
**Required diagnostic data** Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).
**Optional diagnostic data** Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).
[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
-| Inking and typing diagnostics | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
-| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) |
+| Diagnostic Data |
Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.
Diagnostic data is categorized into the following:
**Required diagnostic data** Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).
**Optional diagnostic data** Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).
[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
| Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
-| Activity History/Timeline – Cloud Sync | If you want Windows Timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) |
-| Cortana |
Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content, and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.
Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
[Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
+
### 1.2 Data collection monitoring
-[Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) is a Microsoft Store app (available in Windows 10, version 1803 and newer) that lets a user review the Windows diagnostic data that is being collected on their Windows 10 device and sent to Microsoft in real-time. DDV groups the information into simple categories that describe the data that’s being collected.
+[Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) is a Microsoft Store app (available in Windows 10, version 1803 and later and Windows 11) that lets a user review the Windows diagnostic data that is being collected on their Windows device and sent to Microsoft in real-time. DDV groups the information into simple categories that describe the data that’s being collected.
An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information.
> [!Note]
> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular user’s device usage. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights).
-## 2. Windows 10 data collection management
+## 2. Windows data collection management
-Windows 10 provides the ability to manage privacy settings through several different methods. Users can change their privacy settings using the Windows 10 settings (**Start > Settings > Privacy**). The organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article.
+Windows provides the ability to manage privacy settings through several different methods. Users can change their privacy settings by opening the Settings app in Windows, or the organization can also manage the privacy settings using Group Policy or Mobile Device Management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article.
### 2.1 Privacy setting options for users
-Once a Windows 10 device is set up, a user can manage data collection settings by navigating to **Start > Settings > Privacy**. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to **Start > Settings > Privacy**. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device.
+Once a Windows device is set up, a user can manage data collection settings by opening the Settings app in Windows. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to the settings page. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device.
### 2.2 Privacy setting controls for administrators
@@ -82,15 +80,15 @@ Administrators can configure and control privacy settings across their organizat
The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If you’re interested in minimizing data collection, we also provide the recommended value to set.
> [!NOTE]
-> This is not a complete list of settings that involve connecting to Microsoft services. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+> This is not a complete list of settings that involve managing data collection or connecting to connected experiences in Windows. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
-| Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection |
+| Connected experience /setting | GP/MDM documentation | Default state if the setup experience is suppressed | State to stop/minimize data collection |
|---|---|---|---|
| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy: **Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**
MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off |
-| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy: **Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off |
+| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy: **Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later and Windows 11) | Off |
| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy: **Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
-| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy: **Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**
**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)
Server editions: Enhanced diagnostic data | Security (Off) and block endpoints |
-| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy: **Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**
MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off |
+| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy: **Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)
**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. For more information, see [Enabling the Windows diagnostic data processor configuration](#237-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)
Server editions: Enhanced diagnostic data | Security (Off) and block endpoints |
+| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy: **Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**
MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off |
| Tailored Experiences | Group Policy: **User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
| Advertising ID | Group Policy: **Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**
MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
| Activity History/Timeline – Cloud Sync | Group Policy: **Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**
MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
@@ -108,55 +106,56 @@ If you want the ability to fully control and apply restrictions on data being se
Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies.
-You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows 10:
+You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows:
- [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot)
- [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process)
-#### _2.3.2 Managing connections from Windows components to Microsoft services_
+#### _2.3.2 Managing Windows connected experiences and essential services_
-Administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by Windows components.
+Windows includes features that connect to the internet to provide enhanced experiences and additional service-based capabilities. These features are called connected experiences. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure.
-For more details, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This topic includes the different methods available on how to configure each setting, the impact to functionality, and which versions of Windows that are applicable.
+Essential services are services in the product that connect to Microsoft to keep the product secure, up to date and performing as expected, or are integral to how the product works. For example, the licensing service that confirms that you’re properly licensed to use Windows.
-#### _2.3.3 Managing Windows 10 connections_
+[Windows essential services and connected experiences](essential-services-and-connected-experiences.md) provides a list of the most common Windows essential services and connected experiences.
-Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives.
+When a connected experience is used, data is sent to and processed by Microsoft to provide that connected experience. Administrators can manage the data sent from their organization to Microsoft by configuring settings that are associated with the functionality provided by Windows connected experiences and essential services. For more information, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). This article includes the different methods available to configure each setting, the impact to functionality, and the versions of Windows that are applicable.
-[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the Windows Privacy site under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
+The article [Manage connection endpoints for Windows 11 Enterprise](manage-windows-11-endpoints.md) provides a list of endpoints to which data is transferred by Windows connected experiences for the latest Windows release, along with descriptions of any functionality that would be impacted by restricting data collection.
-#### _2.3.4 Limited functionality baseline_
+#### _2.3.3 Limited functionality baseline_
An organization may want to minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
>[!IMPORTANT]
> - We recommend that you fully test any modifications to these settings before deploying them in your organization.
-> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying to ensure the Windows diagnostic setting is not turned off.
+> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying it to ensure the Windows diagnostic setting is not turned off.
-#### _2.3.5 Diagnostic data: Managing notifications for change of level at logon_
+#### _2.3.4 Diagnostic data: Managing notifications for change of level at logon_
-Starting with Windows 10, version 1803, if an administrator modifies the diagnostic data collection setting, users are notified of this change during the initial device sign in. For example, if you configure the device to send optional diagnostic data, users will be notified the next time they sign into the device. You can disable these notifications by using the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`.
+Starting with Windows 10, version 1803 and Windows 11, if an administrator modifies the diagnostic data collection setting, users are notified of this change during the initial device sign in. For example, if you configure the device to send optional diagnostic data, users will be notified the next time they sign into the device. You can disable these notifications by using the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`.
-#### _2.3.6 Diagnostic data: Managing end user choice for changing the setting_
+#### _2.3.5 Diagnostic data: Managing end user choice for changing the setting_
-Windows 10, version 1803 and newer allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by going into **Settings** > **Privacy** > **Diagnostics & feedback**. Administrators can restrict a user’s ability to change the setting using **Setting** > **Privacy** by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`.
+Windows 10, version 1803 and later and Windows 11 allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by opening the Settings app in Windows and navigating to **Diagnostic & feedback**. Administrators can restrict a user’s ability to change the setting by enabling the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`.
-#### _2.3.7 Diagnostic data: Managing device-based data delete_
+#### _2.3.6 Diagnostic data: Managing device-based data delete_
-Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
+Windows 10, version 1809 and later and Windows 11 allow a user to delete diagnostic data collected from their device by opening the Settings app in Windows and navigating to **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`.
>[!Note]
>If the Windows diagnostic data processor configuration is enabled, the Delete diagnostic data button will be disabled and the powershell cmdlet will not delete data collected under this configuration. IT administrators can instead delete diagnostic data collected by invoking a delete request from the admin portal.
-#### _2.3.8 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
+#### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
**Applies to:**
-- Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer
+- Windows 11 Enterprise, Professional, and Education editions
+- Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer
-The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
+The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer.
@@ -174,20 +173,20 @@ For more information on how Microsoft can help you honor rights and fulfill obli
## 3. The process for exercising data subject rights
-This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows 10 device.
+This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows device.
For IT administrators who have devices using the Windows diagnostic data processor configuration, refer to the [Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-windows). Otherwise proceed to the sections below.
### 3.1 Delete
-Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
+Users can delete their device-based data by opening the Windows settings app and navigating to **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
>[!Note]
>If the Windows diagnostic data processor configuration is being used, the Delete diagnostic data functionality will be disabled. IT administrators can delete diagnostic data associated with a user from the admin portal.
### 3.2 View
-The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows 10 device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet.
+The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet.
>[!Note]
>If the Windows diagnostic data processor configuration is enabled, IT administrators can view the diagnostic data that is associated with a user from the admin portal.
@@ -216,7 +215,7 @@ The following sections provide details about how privacy data is collected and m
### 5.1 Windows Server 2016 and newer
-Windows Server follows the same mechanisms as Windows 10 for handling of personal data.
+Windows Server follows the same mechanisms as Windows 10 (and newer versions) for handling of personal data.
>[!Note]
>The Windows diagnostic data processor configuration is not available for Windows Server.
@@ -235,15 +234,15 @@ An administrator can configure privacy-related settings, such as choosing to onl
### 5.3 Desktop Analytics
-[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
+[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows and is dependent on enabling a minimum set of data collection on the device to function.
### 5.4 Microsoft Managed Desktop
-[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
+[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services.
### 5.5 Update Compliance
-[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows 10 Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows 10 diagnostic data for all its reporting.
+[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows diagnostic data for all its reporting.
## Additional Resources
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
new file mode 100644
index 0000000000..1e8dc3c6e9
--- /dev/null
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -0,0 +1,246 @@
+---
+title: Windows 11 connection endpoints for non-Enterprise editions
+description: Explains what Windows 11 endpoints are used in non-Enterprise editions. Specific to Windows 11.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: robsize
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 10/04/2021
+---
+# Windows 11 connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 11
+
+In addition to the endpoints listed for [Windows 11 Enterprise](manage-windows-11-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 11.
+
+The following methodology was used to derive the network endpoints:
+
+1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week. If you capture traffic for longer, you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 11 Family
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+|-----------|--------------- |------------- |-----------------|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS/HTTP|fp.msedge.net|
+|||HTTPS/HTTP|k-ring.msedge.net|
+|||TLSv1.2|b-ring.msedge.net|
+|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
+|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content|
+|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|||HTTPS/HTTP|*.ssl.ak.dynamic.tiles.virtualearth.net|
+|||HTTPS/HTTP|*.ssl.ak.tiles.virtualearth.net|
+|||HTTPS/HTTP|dev.virtualearth.net|
+|||HTTPS/HTTP|ecn.dev.virtualearth.net|
+|||HTTPS/HTTP|ssl.bing.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoint to contact external websites.|HTTPS/HTTP|edge.activity.windows.com edge.microsoft.com|
+|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||TLSv1.2/HTTPS|office.com|
+|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||HTTP/HTTPS|*.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||HTTP|roaming.officeapps.live.com|
+|||HTTPS/HTTP|substrate.office.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|||HTTPS/HTTP|windows.policies.live.net|
+|||HTTPS/HTTP|api.onedrive.com|
+|||HTTPS/HTTP|skydrivesync.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|*settings.live.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com wdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+|||TLSv1.2|definitionupdates.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*ris.api.iris.microsoft.com|
+|||HTTPS|mucp.api.account.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
+|||HTTPS|www.xboxab.com|
+
+
+## Windows 11 Pro
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+| --- | --- | --- | ---|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||TLSv1.2/HTTPS|office.com|
+|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||HTTP/HTTPS|*.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com|
+|||HTTPS/HTTP|substrate.office.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|||HTTPS/HTTP|windows.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|*settings.live.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.comwdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
+
+
+
+
+## Windows 11 Education
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+| --- | --- | --- | ---|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS/HTTP|fp.msedge.net|
+|||TLSv1.2|odinvzc.azureedge.net|
+|||TLSv1.2|b-ring.msedge.net|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|office.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.comwdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index f80e09a6a4..711144eaff 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -1,5 +1,5 @@
---
-title: Windows 10, version 1709 and newer optional diagnostic data (Windows 10)
+title: Windows 10, version 1709 and Windows 11 and later optional diagnostic data (Windows 10)
description: Use this article to learn about the types of optional diagnostic data that is collected.
keywords: privacy,Windows 10
ms.prod: w10
@@ -15,9 +15,12 @@ ms.topic: article
ms.reviewer:
---
-# Windows 10, version 1709 and newer optional diagnostic data
+# Windows 10, version 1709 and later and Windows 11 optional diagnostic data
Applies to:
+- Windows 11
+- Windows 10, version 21H2
+- Windows 10, version 21H1
- Windows 10, version 20H2
- Windows 10, version 2004
- Windows 10, version 1909
@@ -26,7 +29,7 @@ Applies to:
- Windows 10, version 1803
- Windows 10, version 1709
-Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
+Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of optional diagnostic data collected by Windows, with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 11 required diagnostic events and fields](/windows/privacy/required-windows-11-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/79573.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
@@ -44,7 +47,7 @@ The data covered in this article is grouped into the following types:
Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944-1:2020.
**Data Use for Common data extensions**
-Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
+Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10 and Windows 11, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
### Data Description for Common data extensions type
@@ -52,7 +55,7 @@ Header data supports the use of data associated with all diagnostic events. Ther
Information that is added to most diagnostic events, if relevant and available:
-- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
+- Diagnostic level - Required or Optional, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
- Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
- Event collection time (8.2.3.2.2 Telemetry data)
- User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
@@ -71,7 +74,7 @@ This type of data includes details about the device, its configuration and conne
### Data Use for Device, Connectivity, and Configuration data
**For Diagnostics:**
-[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft products and services. For example:
+[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft products and services. For example:
- Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example:
@@ -81,10 +84,10 @@ This type of data includes details about the device, its configuration and conne
- Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update.
- Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update.
-- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
+- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 and Windows 11 improvements to determine the greatest positive impact to the most Windows 10 and Windows 11 users.
**With (optional) Tailored experiences:**
-If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11users. For example:
- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
@@ -183,17 +186,17 @@ This type of data includes details about the usage of the device, operating syst
### Data Use for Product and Service Usage data
**For Diagnostics:**
-[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example:
-- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps.
-- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
+- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps.
+- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 and Windows 11 improvements to determine the greatest positive impact to the most Windows 10 and Windows 11 users.
- Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature.
- Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process.
- Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana.
- Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app.
**With (optional) Tailored experiences:**
-If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example:
- If data shows that a user has not used a particular feature of Windows, we might recommend that the user try that feature.
- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These apps might be free or paid.
@@ -247,15 +250,15 @@ This type of data includes details about the health of the device, operating sys
### Data Use for Product and Service Performance data
**For Diagnostics:**
-[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example:
- Data about the reliability of content that appears in the [Windows Spotlight](/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening performance.
- Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
-- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
+- Data about when an application window fails to appear is used to investigate issues with application window reliability and performance.
**With (optional) Tailored experiences:**
-If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users.
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users.
- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
@@ -360,7 +363,7 @@ This type of data includes software installation and update information on the d
### Data Use for Software Setup and Inventory data
**For Diagnostics:**
-[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example:
- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues that should block or delay a Windows update.
- Data about when a download starts and finishes on a device is used to understand and address download problems.
@@ -368,7 +371,7 @@ This type of data includes software installation and update information on the d
- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
**With (optional) Tailored experiences:**
-If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example:
- Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store.
@@ -402,7 +405,7 @@ This type of data includes details about web browsing in the Microsoft browsers.
### Data Use for Browsing History data
**For Diagnostics:**
-[Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+[Pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example:
- Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content.
- Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain.
@@ -411,7 +414,7 @@ This type of data includes details about web browsing in the Microsoft browsers.
- Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page.
**With (optional) Tailored experiences:**
-If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example:
- We might recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
@@ -434,13 +437,13 @@ This type of data gathers details about the voice, inking, and typing input feat
### Data Use for Inking, Typing, and Speech Utterance data
**For Diagnostics:**
-[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
+[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 and Windows 11 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
- Data about autocorrected words that were restored back to the original word by the user is used to improve the autocorrect feature.
- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
-- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
+- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
**With (optional) Tailored experiences:**
@@ -455,7 +458,6 @@ This type of data gathers details about the voice, inking, and typing input feat
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
- Text of speech recognition results - result codes and recognized text
- Language and model of the recognizer and the System Speech language
- App ID using speech features
diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
new file mode 100644
index 0000000000..6fde4a825a
--- /dev/null
+++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
@@ -0,0 +1,260 @@
+---
+title: Windows 10, version 21H1, connection endpoints for non-Enterprise editions
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 21H1.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: robsize
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 10/04/2021
+---
+# Windows 10, version 21H1, connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 10 Home, version 21H1
+- Windows 10 Professional, version 21H1
+- Windows 10 Education, version 21H1
+
+In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-21H1-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 21H1.
+
+The following methodology was used to derive the network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week. If you capture traffic for longer, you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Family
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+|-----------|--------------- |------------- |-----------------|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS/HTTP|fp.msedge.net|
+|||HTTPS/HTTP|k-ring.msedge.net|
+|||TLSv1.2|b-ring.msedge.net|
+|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
+|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content|
+|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|||HTTPS/HTTP|*.ssl.ak.dynamic.tiles.virtualearth.net|
+|||HTTPS/HTTP|*.ssl.ak.tiles.virtualearth.net|
+|||HTTPS/HTTP|dev.virtualearth.net|
+|||HTTPS/HTTP|ecn.dev.virtualearth.net|
+|||HTTPS/HTTP|ssl.bing.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge|The following endpoints are used for Microsoft Edge Browser Services.|HTTPS/HTTP|edge.activity.windows.com|
+|||HTTPS/HTTP|edge.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|HTTP|go.microsoft.com/fwlink/|
+|||TLSv1.2/HTTPS/HTTP|go.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||TLSv1.2/HTTPS|office.com|
+|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||HTTP/HTTPS|*.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||HTTP|roaming.officeapps.live.com|
+|||HTTPS/HTTP|substrate.office.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|||HTTPS/HTTP|windows.policies.live.net|
+|||HTTPS/HTTP|api.onedrive.com|
+|||HTTPS/HTTP|skydrivesync.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|*settings.live.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||||wdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+|||TLSv1.2|definitionupdates.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|||HTTPS|mucp.api.account.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|
+|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
+|||HTTPS|www.xboxab.com|
+|
+
+## Windows 10 Pro
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+| --- | --- | --- | ---|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||TLSv1.2/HTTPS|office.com|
+|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||HTTP/HTTPS|*.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com|
+|||HTTPS/HTTP|substrate.office.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|||HTTPS/HTTP|windows.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|*settings.live.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||||wdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|
+|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
+|
+
+## Windows 10 Education
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+| --- | --- | --- | ---|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS/HTTP|fp.msedge.net|
+|||TLSv1.2|odinvzc.azureedge.net|
+|||TLSv1.2|b-ring.msedge.net|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|office.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||||wdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|
+|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 70e61e303f..d150e02df0 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -1,9 +1,470 @@
-- name: Security
+
+- name: Windows security
href: index.yml
+- name: Zero Trust and Windows
+ href: zero-trust-windows-device-health.md
+ expanded: true
+- name: Hardware security
items:
- - name: Identity and access management
- href: identity-protection/index.md
- - name: Information protection
- href: information-protection/index.md
- - name: Threat protection
- href: threat-protection/index.md
+ - name: Overview
+ href: hardware.md
+ - name: Trusted Platform Module
+ href: information-protection/tpm/trusted-platform-module-top-node.md
+ items:
+ - name: Trusted Platform Module Overview
+ href: information-protection/tpm/trusted-platform-module-overview.md
+ - name: TPM fundamentals
+ href: information-protection/tpm/tpm-fundamentals.md
+ - name: How Windows uses the TPM
+ href: information-protection/tpm/how-windows-uses-the-tpm.md
+ - name: TPM Group Policy settings
+ href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+ - name: Back up the TPM recovery information to AD DS
+ href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+ - name: View status, clear, or troubleshoot the TPM
+ href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+ - name: Understanding PCR banks on TPM 2.0 devices
+ href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+ - name: TPM recommendations
+ href: information-protection/tpm/tpm-recommendations.md
+ - name: Hardware-based root of trust
+ href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+ - name: System Guard Secure Launch and SMM protection
+ href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+ - name: Enable virtualization-based protection of code integrity
+ href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+ - name: Kernel DMA Protection
+ href: information-protection/kernel-dma-protection-for-thunderbolt.md
+ - name: Windows secured-core devices
+ href: /windows-hardware/design/device-experiences/oem-highly-secure
+- name: Operating system security
+ items:
+ - name: Overview
+ href: operating-system.md
+ - name: System security
+ items:
+ - name: Secure the Windows boot process
+ href: information-protection/secure-the-windows-10-boot-process.md
+ - name: Trusted Boot
+ href: trusted-boot.md
+ - name: Cryptography and certificate management
+ href: cryptography-certificate-mgmt.md
+ - name: The Windows Security app
+ href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
+ items:
+ - name: Virus & threat protection
+ href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+ - name: Account protection
+ href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
+ - name: Firewall & network protection
+ href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+ - name: App & browser control
+ href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+ - name: Device security
+ href: threat-protection\windows-defender-security-center\wdsc-device-security.md
+ - name: Device performance & health
+ href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+ - name: Family options
+ href: threat-protection\windows-defender-security-center\wdsc-family-options.md
+ - name: Security policy settings
+ href: threat-protection/security-policy-settings/security-policy-settings.md
+ - name: Security auditing
+ href: threat-protection/auditing/security-auditing-overview.md
+ - name: Encryption and data protection
+ href: encryption-data-protection.md
+ items:
+ - name: Encrypted Hard Drive
+ href: information-protection/encrypted-hard-drive.md
+ - name: BitLocker
+ href: information-protection/bitlocker/bitlocker-overview.md
+ items:
+ - name: Overview of BitLocker Device Encryption in Windows
+ href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+ - name: BitLocker frequently asked questions (FAQ)
+ href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+ items:
+ - name: Overview and requirements
+ href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+ - name: Upgrading
+ href: information-protection/bitlocker/bitlocker-upgrading-faq.yml
+ - name: Deployment and administration
+ href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+ - name: Key management
+ href: information-protection/bitlocker/bitlocker-key-management-faq.yml
+ - name: BitLocker To Go
+ href: information-protection/bitlocker/bitlocker-to-go-faq.yml
+ - name: Active Directory Domain Services
+ href: information-protection/bitlocker/bitlocker-and-adds-faq.yml
+ - name: Security
+ href: information-protection/bitlocker/bitlocker-security-faq.yml
+ - name: BitLocker Network Unlock
+ href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+ - name: General
+ href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+ - name: "Prepare your organization for BitLocker: Planning and policies"
+ href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+ - name: BitLocker deployment comparison
+ href: information-protection/bitlocker/bitlocker-deployment-comparison.md
+ - name: BitLocker basic deployment
+ href: information-protection/bitlocker/bitlocker-basic-deployment.md
+ - name: Deploy BitLocker on Windows Server 2012 and later
+ href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+ - name: BitLocker management for enterprises
+ href: information-protection/bitlocker/bitlocker-management-for-enterprises.md
+ - name: Enable Network Unlock with BitLocker
+ href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+ - name: Use BitLocker Drive Encryption Tools to manage BitLocker
+ href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+ - name: Use BitLocker Recovery Password Viewer
+ href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+ - name: BitLocker Group Policy settings
+ href: information-protection/bitlocker/bitlocker-group-policy-settings.md
+ - name: BCD settings and BitLocker
+ href: information-protection/bitlocker/bcd-settings-and-bitlocker.md
+ - name: BitLocker Recovery Guide
+ href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+ - name: BitLocker Countermeasures
+ href: information-protection/bitlocker/bitlocker-countermeasures.md
+ - name: Protecting cluster shared volumes and storage area networks with BitLocker
+ href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+ - name: Troubleshoot BitLocker
+ items:
+ - name: Troubleshoot BitLocker
+ href: information-protection/bitlocker/troubleshoot-bitlocker.md
+ - name: "BitLocker cannot encrypt a drive: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+ - name: "Enforcing BitLocker policies by using Intune: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-intune-issues.md
+ - name: "BitLocker Network Unlock: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+ - name: "BitLocker recovery: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+ - name: "BitLocker configuration: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-config-issues.md
+ - name: Troubleshoot BitLocker and TPM issues
+ items:
+ - name: "BitLocker cannot encrypt a drive: known TPM issues"
+ href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+ - name: "BitLocker and TPM: other known issues"
+ href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+ - name: Decode Measured Boot logs to track PCR changes
+ href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+ - name: Configure S/MIME for Windows
+ href: identity-protection/configure-s-mime.md
+ - name: Network security
+ items:
+ - name: VPN technical guide
+ href: identity-protection/vpn/vpn-guide.md
+ items:
+ - name: VPN connection types
+ href: identity-protection/vpn/vpn-connection-type.md
+ - name: VPN routing decisions
+ href: identity-protection/vpn/vpn-routing.md
+ - name: VPN authentication options
+ href: identity-protection/vpn/vpn-authentication.md
+ - name: VPN and conditional access
+ href: identity-protection/vpn/vpn-conditional-access.md
+ - name: VPN name resolution
+ href: identity-protection/vpn/vpn-name-resolution.md
+ - name: VPN auto-triggered profile options
+ href: identity-protection/vpn/vpn-auto-trigger-profile.md
+ - name: VPN security features
+ href: identity-protection/vpn/vpn-security-features.md
+ - name: VPN profile options
+ href: identity-protection/vpn/vpn-profile-options.md
+ - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
+ href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+ - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
+ href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+ - name: Optimizing Office 365 traffic with the Windows VPN client
+ href: identity-protection/vpn/vpn-office-365-optimization.md
+ - name: Windows Defender Firewall
+ href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+ - name: Windows security baselines
+ href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+ items:
+ - name: Security Compliance Toolkit
+ href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+ - name: Get support
+ href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+ - name: Virus & threat protection
+ items:
+ - name: Overview
+ href: threat-protection/index.md
+ - name: Microsoft Defender Antivirus
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
+ - name: Attack surface reduction rules
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction
+ - name: Tamper protection
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+ - name: Network protection
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection
+ - name: Controlled folder access
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders
+ - name: Exploit protection
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection
+ - name: Microsoft Defender for Endpoint
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint
+ - name: Security intelligence
+ href: threat-protection/intelligence/index.md
+ items:
+ - name: Understand malware & other threats
+ href: threat-protection/intelligence/understanding-malware.md
+ items:
+ - name: Prevent malware infection
+ href: threat-protection/intelligence/prevent-malware-infection.md
+ - name: Malware names
+ href: threat-protection/intelligence/malware-naming.md
+ - name: Coin miners
+ href: threat-protection/intelligence/coinminer-malware.md
+ - name: Exploits and exploit kits
+ href: threat-protection/intelligence/exploits-malware.md
+ - name: Fileless threats
+ href: threat-protection/intelligence/fileless-threats.md
+ - name: Macro malware
+ href: threat-protection/intelligence/macro-malware.md
+ - name: Phishing
+ href: threat-protection/intelligence/phishing.md
+ - name: Ransomware
+ href: /security/compass/human-operated-ransomware
+ - name: Rootkits
+ href: threat-protection/intelligence/rootkits-malware.md
+ - name: Supply chain attacks
+ href: threat-protection/intelligence/supply-chain-malware.md
+ - name: Tech support scams
+ href: threat-protection/intelligence/support-scams.md
+ - name: Trojans
+ href: threat-protection/intelligence/trojans-malware.md
+ - name: Unwanted software
+ href: threat-protection/intelligence/unwanted-software.md
+ - name: Worms
+ href: threat-protection/intelligence/worms-malware.md
+ - name: How Microsoft identifies malware and PUA
+ href: threat-protection/intelligence/criteria.md
+ - name: Submit files for analysis
+ href: threat-protection/intelligence/submission-guide.md
+ - name: Safety Scanner download
+ href: threat-protection/intelligence/safety-scanner-download.md
+ - name: Industry collaboration programs
+ href: threat-protection/intelligence/cybersecurity-industry-partners.md
+ items:
+ - name: Virus information alliance
+ href: threat-protection/intelligence/virus-information-alliance-criteria.md
+ - name: Microsoft virus initiative
+ href: threat-protection/intelligence/virus-initiative-criteria.md
+ - name: Coordinated malware eradication
+ href: threat-protection/intelligence/coordinated-malware-eradication.md
+ - name: Information for developers
+ items:
+ - name: Software developer FAQ
+ href: threat-protection/intelligence/developer-faq.yml
+ - name: Software developer resources
+ href: threat-protection/intelligence/developer-resources.md
+ - name: More Windows security
+ items:
+ - name: Override Process Mitigation Options to help enforce app-related security policies
+ href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
+ - name: Use Windows Event Forwarding to help with intrusion detection
+ href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+ - name: Block untrusted fonts in an enterprise
+ href: threat-protection/block-untrusted-fonts-in-enterprise.md
+ - name: Windows Information Protection (WIP)
+ href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+ items:
+ - name: Create a WIP policy using Microsoft Intune
+ href: information-protection/windows-information-protection/overview-create-wip-policy.md
+ items:
+ - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune
+ href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+ items:
+ - name: Deploy your WIP policy using the Azure portal for Microsoft Intune
+ href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+ - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune
+ href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+ - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
+ href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+ - name: Determine the Enterprise Context of an app running in WIP
+ href: information-protection/windows-information-protection/wip-app-enterprise-context.md
+ - name: Create a WIP policy using Microsoft Endpoint Configuration Manager
+ href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+ items:
+ - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager
+ href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+ - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
+ href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+ - name: Determine the Enterprise Context of an app running in WIP
+ href: information-protection/windows-information-protection/wip-app-enterprise-context.md
+ - name: Mandatory tasks and settings required to turn on WIP
+ href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
+ - name: Testing scenarios for WIP
+ href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
+ - name: Limitations while using WIP
+ href: information-protection/windows-information-protection/limitations-with-wip.md
+ - name: How to collect WIP audit event logs
+ href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+ - name: General guidance and best practices for WIP
+ href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+ items:
+ - name: Enlightened apps for use with WIP
+ href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+ - name: Unenlightened and enlightened app behavior while using WIP
+ href: information-protection/windows-information-protection/app-behavior-with-wip.md
+ - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP
+ href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+ - name: Using Outlook Web Access with WIP
+ href: information-protection/windows-information-protection/using-owa-with-wip.md
+ - name: Fine-tune WIP Learning
+ href: information-protection/windows-information-protection/wip-learning.md
+- name: Application security
+ items:
+ - name: Overview
+ href: apps.md
+ - name: Windows Defender Application Control and virtualization-based protection of code integrity
+ href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+ - name: Windows Defender Application Control
+ href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
+ - name: Microsoft Defender Application Guard
+ href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
+ - name: Windows Sandbox
+ href: threat-protection/windows-sandbox/windows-sandbox-overview.md
+ items:
+ - name: Windows Sandbox architecture
+ href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
+ - name: Windows Sandbox configuration
+ href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+ - name: Microsoft Defender SmartScreen overview
+ href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+ - name: Configure S/MIME for Windows
+ href: identity-protection\configure-s-mime.md
+ - name: Windows Credential Theft Mitigation Guide Abstract
+ href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
+- name: User security and secured identity
+ items:
+ - name: Overview
+ href: identity.md
+ - name: Windows Hello for Business
+ href: identity-protection/hello-for-business/index.yml
+ - name: Windows credential theft mitigation guide
+ href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+ - name: Enterprise Certificate Pinning
+ href: identity-protection/enterprise-certificate-pinning.md
+ - name: Protect derived domain credentials with Credential Guard
+ href: identity-protection/credential-guard/credential-guard.md
+ items:
+ - name: How Credential Guard works
+ href: identity-protection/credential-guard/credential-guard-how-it-works.md
+ - name: Credential Guard Requirements
+ href: identity-protection/credential-guard/credential-guard-requirements.md
+ - name: Manage Credential Guard
+ href: identity-protection/credential-guard/credential-guard-manage.md
+ - name: Hardware readiness tool
+ href: identity-protection/credential-guard/dg-readiness-tool.md
+ - name: Credential Guard protection limits
+ href: identity-protection/credential-guard/credential-guard-protection-limits.md
+ - name: Considerations when using Credential Guard
+ href: identity-protection/credential-guard/credential-guard-considerations.md
+ - name: "Credential Guard: Additional mitigations"
+ href: identity-protection/credential-guard/additional-mitigations.md
+ - name: "Credential Guard: Known issues"
+ href: identity-protection/credential-guard/credential-guard-known-issues.md
+ - name: Protect Remote Desktop credentials with Remote Credential Guard
+ href: identity-protection/remote-credential-guard.md
+ - name: Technical support policy for lost or forgotten passwords
+ href: identity-protection/password-support-policy.md
+ - name: Access Control Overview
+ href: identity-protection/access-control/access-control.md
+ items:
+ - name: Dynamic Access Control Overview
+ href: identity-protection/access-control/dynamic-access-control.md
+ - name: Security identifiers
+ href: identity-protection/access-control/security-identifiers.md
+ - name: Security Principals
+ href: identity-protection/access-control/security-principals.md
+ - name: Local Accounts
+ href: identity-protection/access-control/local-accounts.md
+ - name: Active Directory Accounts
+ href: identity-protection/access-control/active-directory-accounts.md
+ - name: Microsoft Accounts
+ href: identity-protection/access-control/microsoft-accounts.md
+ - name: Service Accounts
+ href: identity-protection/access-control/service-accounts.md
+ - name: Active Directory Security Groups
+ href: identity-protection/access-control/active-directory-security-groups.md
+ - name: Special Identities
+ href: identity-protection/access-control/special-identities.md
+ - name: User Account Control
+ href: identity-protection/user-account-control/user-account-control-overview.md
+ items:
+ - name: How User Account Control works
+ href: identity-protection/user-account-control/how-user-account-control-works.md
+ - name: User Account Control security policy settings
+ href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
+ - name: User Account Control Group Policy and registry key settings
+ href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+ - name: Smart Cards
+ href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+ items:
+ - name: How Smart Card Sign-in Works in Windows
+ href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+ items:
+ - name: Smart Card Architecture
+ href: identity-protection/smart-cards/smart-card-architecture.md
+ - name: Certificate Requirements and Enumeration
+ href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+ - name: Smart Card and Remote Desktop Services
+ href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+ - name: Smart Cards for Windows Service
+ href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+ - name: Certificate Propagation Service
+ href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+ - name: Smart Card Removal Policy Service
+ href: identity-protection/smart-cards/smart-card-removal-policy-service.md
+ - name: Smart Card Tools and Settings
+ href: identity-protection/smart-cards/smart-card-tools-and-settings.md
+ items:
+ - name: Smart Cards Debugging Information
+ href: identity-protection/smart-cards/smart-card-debugging-information.md
+ - name: Smart Card Group Policy and Registry Settings
+ href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+ - name: Smart Card Events
+ href: identity-protection/smart-cards/smart-card-events.md
+ - name: Virtual Smart Cards
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+ items:
+ - name: Understanding and Evaluating Virtual Smart Cards
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+ items:
+ - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+ - name: Use Virtual Smart Cards
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+ - name: Deploy Virtual Smart Cards
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+ - name: Evaluate Virtual Smart Card Security
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+ - name: Tpmvscmgr
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+- name: Cloud services
+ items:
+ - name: Overview
+ href: cloud.md
+ - name: Mobile device management
+ href: https://docs.microsoft.com/windows/client-management/mdm/
+ - name: Windows 365 Cloud PCs
+ href: /windows-365/overview
+ - name: Azure Virtual Desktop
+ href: /azure/virtual-desktop/
+- name: Security foundations
+ items:
+ - name: Overview
+ href: security-foundations.md
+ - name: Microsoft Security Development Lifecycle
+ href: threat-protection/msft-security-dev-lifecycle.md
+ - name: Microsoft Bug Bounty Program
+ href: threat-protection/microsoft-bug-bounty-program.md
+ - name: FIPS 140-2 Validation
+ href: threat-protection/fips-140-validation.md
+ - name: Common Criteria Certifications
+ href: threat-protection/windows-platform-common-criteria.md
+- name: Windows Privacy
+ href: /windows/privacy/windows-10-and-privacy-compliance
diff --git a/windows/security/apps.md b/windows/security/apps.md
new file mode 100644
index 0000000000..e376d06d98
--- /dev/null
+++ b/windows/security/apps.md
@@ -0,0 +1,28 @@
+---
+title: Windows application security
+description: Get an overview of application security in Windows 10 and Windows 11
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: dansimp
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows application security
+
+Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security.
+
+The following table summarizes the Windows security features and capabilities for apps:
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](threat-protection/windows-defender-application-control/windows-defender-application-control.md) |
+| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). |
+| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](threat-protection\windows-sandbox\windows-sandbox-overview.md)
+| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) |
+| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |
diff --git a/windows/security/cloud.md b/windows/security/cloud.md
new file mode 100644
index 0000000000..7bccc2aa84
--- /dev/null
+++ b/windows/security/cloud.md
@@ -0,0 +1,39 @@
+---
+title: Windows and cloud security
+description: Get an overview of cloud services supported in Windows 11 and Windows 10
+ms.reviewer:
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/20/2021
+ms.localizationpriority: medium
+ms.custom:
+f1.keywords: NOCSH
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+search.appverid: MET150
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows and cloud security
+
+Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats.
+
+Windows 11 includes the cloud services that are listed in the following table:
+
+| Service type | Description |
+|:---|:---|
+| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.
To learn more, see [Mobile device management](/windows/client-management/mdm/). |
+| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.
The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.
To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).|
+| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.
The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).
In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
+| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.
To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
+
+## Next steps
+
+- [Learn more about MDM and Windows 11](/windows/client-management/mdm/)
+- [Learn more about Windows security](index.yml)
\ No newline at end of file
diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md
new file mode 100644
index 0000000000..7c781c1bdf
--- /dev/null
+++ b/windows/security/cryptography-certificate-mgmt.md
@@ -0,0 +1,43 @@
+---
+title: Cryptography and Certificate Management
+description: Get an overview of cryptography and certificate management in Windows
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/07/2021
+ms.prod: m365-security
+ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.collection:
+ms.custom:
+ms.reviewer: skhadeer, raverma
+f1.keywords: NOCSH
+---
+
+# Cryptography and Certificate Management
+
+
+## Cryptography
+
+Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.
+
+Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources.
+
+Windows cryptographic modules provide low-level primitives such as:
+
+- Random number generators (RNG)
+- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
+- Hashing (support for SHA-256, SHA-384, and SHA-512)
+- Signing and verification (padding support for OAEP, PSS, PKCS1)
+- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
+
+These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
+
+## Certificate management
+
+Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
+
+Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer.
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 3a997cd1e9..d1a625e8bd 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -48,7 +48,7 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Microsoft 365 Security",
+ "titleSuffix": "Windows security",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
new file mode 100644
index 0000000000..359afde71f
--- /dev/null
+++ b/windows/security/encryption-data-protection.md
@@ -0,0 +1,54 @@
+---
+title: Encryption and data protection in Windows
+description: Get an overview encryption and data protection in Windows 11 and Windows 10
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/08/2021
+ms.prod: m365-security
+ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.collection:
+ms.custom:
+ms.reviewer: deepakm, rafals
+f1.keywords: NOCSH
+---
+
+# Encryption and data protection in Windows client
+
+When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
+Encryption and data protection features include:
+
+- Encrypted Hard Drive
+- BitLocker
+
+## Encrypted Hard Drive
+
+Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management.
+By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
+
+Encrypted hard drives provide:
+
+- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
+- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
+- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
+- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+
+Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
+
+## BitLocker
+
+BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
+
+BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
+
+Windows consistently improves data protection by improving existing options and providing new strategies.
+
+
+## See also
+
+- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
+- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
diff --git a/windows/security/hardware.md b/windows/security/hardware.md
new file mode 100644
index 0000000000..435dd886c2
--- /dev/null
+++ b/windows/security/hardware.md
@@ -0,0 +1,27 @@
+---
+title: Windows hardware security
+description: Get an overview of hardware security in Windows 11 and Windows 10
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: dansimp
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows hardware security
+
+Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data, and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information.
+These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users. A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.
Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). |
+| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.
Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). |
+| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity. HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
+| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.
Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |
+| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
diff --git a/windows/security/identity-protection/TOC.yml b/windows/security/identity-protection/TOC.yml
deleted file mode 100644
index 5e4680879e..0000000000
--- a/windows/security/identity-protection/TOC.yml
+++ /dev/null
@@ -1,132 +0,0 @@
-- name: Identity and access management
- href: index.md
- items:
- - name: Technical support policy for lost or forgotten passwords
- href: password-support-policy.md
- - name: Access Control Overview
- href: access-control/access-control.md
- items:
- - name: Dynamic Access Control Overview
- href: access-control/dynamic-access-control.md
- - name: Security identifiers
- href: access-control/security-identifiers.md
- - name: Security Principals
- href: access-control/security-principals.md
- - name: Local Accounts
- href: access-control/local-accounts.md
- - name: Active Directory Accounts
- href: access-control/active-directory-accounts.md
- - name: Microsoft Accounts
- href: access-control/microsoft-accounts.md
- - name: Service Accounts
- href: access-control/service-accounts.md
- - name: Active Directory Security Groups
- href: access-control/active-directory-security-groups.md
- - name: Special Identities
- href: access-control/special-identities.md
- - name: User Account Control
- href: user-account-control\user-account-control-overview.md
- items:
- - name: How User Account Control works
- href: user-account-control\how-user-account-control-works.md
- - name: User Account Control security policy settings
- href: user-account-control\user-account-control-security-policy-settings.md
- - name: User Account Control Group Policy and registry key settings
- href: user-account-control\user-account-control-group-policy-and-registry-key-settings.md
- - name: Windows Hello for Business
- href: hello-for-business/index.yml
- - name: Protect derived domain credentials with Credential Guard
- href: credential-guard/credential-guard.md
- items:
- - name: How Credential Guard works
- href: credential-guard/credential-guard-how-it-works.md
- - name: Credential Guard Requirements
- href: credential-guard/credential-guard-requirements.md
- - name: Manage Credential Guard
- href: credential-guard/credential-guard-manage.md
- - name: Hardware readiness tool
- href: credential-guard/dg-readiness-tool.md
- - name: Credential Guard protection limits
- href: credential-guard/credential-guard-protection-limits.md
- - name: Considerations when using Credential Guard
- href: credential-guard/credential-guard-considerations.md
- - name: "Credential Guard: Additional mitigations"
- href: credential-guard/additional-mitigations.md
- - name: "Credential Guard: Known issues"
- href: credential-guard/credential-guard-known-issues.md
- - name: Protect Remote Desktop credentials with Remote Credential Guard
- href: remote-credential-guard.md
- - name: Smart Cards
- href: smart-cards/smart-card-windows-smart-card-technical-reference.md
- items:
- - name: How Smart Card Sign-in Works in Windows
- href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
- items:
- - name: Smart Card Architecture
- href: smart-cards/smart-card-architecture.md
- - name: Certificate Requirements and Enumeration
- href: smart-cards/smart-card-certificate-requirements-and-enumeration.md
- - name: Smart Card and Remote Desktop Services
- href: smart-cards/smart-card-and-remote-desktop-services.md
- - name: Smart Cards for Windows Service
- href: smart-cards/smart-card-smart-cards-for-windows-service.md
- - name: Certificate Propagation Service
- href: smart-cards/smart-card-certificate-propagation-service.md
- - name: Smart Card Removal Policy Service
- href: smart-cards/smart-card-removal-policy-service.md
- - name: Smart Card Tools and Settings
- href: smart-cards/smart-card-tools-and-settings.md
- items:
- - name: Smart Cards Debugging Information
- href: smart-cards/smart-card-debugging-information.md
- - name: Smart Card Group Policy and Registry Settings
- href: smart-cards/smart-card-group-policy-and-registry-settings.md
- - name: Smart Card Events
- href: smart-cards/smart-card-events.md
- - name: Virtual Smart Cards
- href: virtual-smart-cards\virtual-smart-card-overview.md
- items:
- - name: Understanding and Evaluating Virtual Smart Cards
- href: virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md
- items:
- - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
- href: virtual-smart-cards\virtual-smart-card-get-started.md
- - name: Use Virtual Smart Cards
- href: virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md
- - name: Deploy Virtual Smart Cards
- href: virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md
- - name: Evaluate Virtual Smart Card Security
- href: virtual-smart-cards\virtual-smart-card-evaluate-security.md
- - name: Tpmvscmgr
- href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md
- - name: Enterprise Certificate Pinning
- href: enterprise-certificate-pinning.md
- - name: Windows 10 credential theft mitigation guide abstract
- href: windows-credential-theft-mitigation-guide-abstract.md
- - name: Configure S/MIME for Windows 10
- href: configure-s-mime.md
- - name: VPN technical guide
- href: vpn\vpn-guide.md
- items:
- - name: VPN connection types
- href: vpn\vpn-connection-type.md
- - name: VPN routing decisions
- href: vpn\vpn-routing.md
- - name: VPN authentication options
- href: vpn\vpn-authentication.md
- - name: VPN and conditional access
- href: vpn\vpn-conditional-access.md
- - name: VPN name resolution
- href: vpn\vpn-name-resolution.md
- - name: VPN auto-triggered profile options
- href: vpn\vpn-auto-trigger-profile.md
- - name: VPN security features
- href: vpn\vpn-security-features.md
- - name: VPN profile options
- href: vpn\vpn-profile-options.md
- - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
- href: vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
- - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
- href: vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
- - name: Optimizing Office 365 traffic with the Windows 10 VPN client
- href: vpn\vpn-office-365-optimization.md
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 9b9c40977d..5ac3dcc651 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -1,5 +1,5 @@
---
-title: Active Directory Security Groups (Windows 10)
+title: Active Directory Security Groups
description: Active Directory Security Groups
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,14 +12,15 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/21/2021
ms.reviewer:
---
# Active Directory Security Groups
**Applies to**
-- Windows Server 2016
+- Windows Server 2016 or later
+- Windows 10 or later
This reference topic for the IT professional describes the default Active Directory security groups.
@@ -1489,7 +1490,7 @@ This security group has not changed since Windows Server 2008.
Well-Known SID/RID
-
S-1-5-<domain>-512
+
S-1-5-21-<domain>-512
Type
@@ -1885,7 +1886,7 @@ This security group has not changed since Windows Server 2008.
Well-Known SID/RID
-
S-1-5-21-<domain>-498
+
S-1-5-21-<root domain>-498
Type
@@ -2434,6 +2435,9 @@ Members of the Performance Log Users group can manage performance counters, logs
> [!WARNING]
> If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
+ > [!NOTE]
+ > In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log Users group.
+ > If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot complete creation because access will be denied.
- Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index 11290388a1..d9e9c99503 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -12,7 +12,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 11/19/2021
ms.reviewer:
---
@@ -47,7 +47,7 @@ In addition to the enhanced security that is provided by having individual accou
- You can create a class of domain accounts that can be used to manage and maintain services on local computers.
-- Unlike domain accounts in which administrators must reset manually passwords, the network passwords for these accounts are automatically reset.
+- Unlike domain accounts in which administrators must manually reset passwords, the network passwords for these accounts are automatically reset.
- You do not have to complete complex SPN management tasks to use managed service accounts.
@@ -115,4 +115,4 @@ The following table provides links to additional resources that are related to s
|---------------|-------------|
| **Product evaluation** | [What's New for Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831451(v=ws.11)) [Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)) |
| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
-| **Related technologies** | [Security Principals](security-principals.md) [What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) |
\ No newline at end of file
+| **Related technologies** | [Security Principals](security-principals.md) [What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) |
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index f0c84a4b48..f08c30bd24 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -12,7 +12,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 10/12/2021
ms.reviewer:
---
@@ -39,7 +39,7 @@ The special identity groups are described in the following tables:
- [Anonymous Logon](#anonymous-logon)
-- [Authenticated User](#authenticated-users)
+- [Authenticated Users](#authenticated-users)
- [Batch](#batch)
@@ -90,7 +90,7 @@ The special identity groups are described in the following tables:
Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-7 |
|Object Class| Foreign Security Principal|
@@ -102,11 +102,11 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo
Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-11 |
|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=\|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\|
|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
## Batch
@@ -114,7 +114,7 @@ Any user who accesses the system through a sign-in process has the Authenticated
Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-3 |
|Object Class| Foreign Security Principal|
@@ -128,7 +128,7 @@ The person who created the file or the directory is a member of this special ide
A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-3-1 |
|Object Class| Foreign Security Principal|
@@ -140,7 +140,7 @@ A placeholder security identifier (SID) is created in an inheritable access cont
The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-3-0 |
|Object Class| Foreign Security Principal|
@@ -152,29 +152,29 @@ The person who created the file or the directory is a member of this special ide
Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-1 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\|
-|Default User Rights| none|
+|Default User Rights| none|
## Digest Authentication
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-21 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\|
-|Default User Rights| none|
+|Default User Rights| none|
## Enterprise Domain Controllers
This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-9 |
|Object Class| Foreign Security Principal|
@@ -190,7 +190,7 @@ On computers running Windows 2000 and earlier, the Everyone group included the
Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-1-0 |
|Object Class| Foreign Security Principal|
@@ -202,7 +202,7 @@ Membership is controlled by the operating system.
Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-4 |
|Object Class| Foreign Security Principal|
@@ -214,7 +214,7 @@ Any user who is logged on to the local system has the Interactive identity. This
The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-19 |
|Object Class| Foreign Security Principal|
@@ -227,7 +227,7 @@ The Local Service account is similar to an Authenticated User account. The Local
This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-18 |
|Object Class| Foreign Security Principal|
@@ -238,7 +238,7 @@ This is a service account that is used by the operating system. The LocalSystem
This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-2 |
|Object Class| Foreign Security Principal|
@@ -250,7 +250,7 @@ This group implicitly includes all users who are logged on through a network con
The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-20 |
|Object Class| Foreign Security Principal|
@@ -260,7 +260,7 @@ The Network Service account is similar to an Authenticated User account. The Net
## NTLM Authentication
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-10 |
|Object Class| Foreign Security Principal|
@@ -272,7 +272,7 @@ The Network Service account is similar to an Authenticated User account. The Net
This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-1000 |
|Object Class| Foreign Security Principal|
@@ -284,7 +284,7 @@ This group implicitly includes all users who are logged on to the system through
This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-10 |
|Object Class| Foreign Security Principal|
@@ -296,7 +296,7 @@ This identity is a placeholder in an ACE on a user, group, or computer object in
This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-14|
|Object Class| Foreign Security Principal|
@@ -308,7 +308,7 @@ This identity represents all users who are currently logged on to a computer by
Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-12 |
|Object Class| Foreign Security Principal|
@@ -318,7 +318,7 @@ Users and computers with restricted capabilities have the Restricted identity. T
## SChannel Authentication
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-14 |
|Object Class| Foreign Security Principal|
@@ -331,7 +331,7 @@ Users and computers with restricted capabilities have the Restricted identity. T
Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-6 |
|Object Class| Foreign Security Principal|
@@ -343,7 +343,7 @@ Any service that accesses the system has the Service identity. This identity gro
Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-13 |
|Object Class| Foreign Security Principal|
@@ -353,7 +353,7 @@ Any user accessing the system through Terminal Services has the Terminal Server
## This Organization
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-15 |
|Object Class| Foreign Security Principal|
@@ -362,7 +362,7 @@ Any user accessing the system through Terminal Services has the Terminal Server
## Window Manager\\Window Manager Group
-| **Attribute** | **Value** |
+| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | |
|Object Class| |
diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md
deleted file mode 100644
index 9cd9f0847d..0000000000
--- a/windows/security/identity-protection/change-history-for-access-protection.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Change history for access protection (Windows 10)
-description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 08/11/2017
-ms.reviewer:
----
-
-# Change history for access protection
-This topic lists new and updated topics in the [Access protection](index.md) documentation.
-
-## August 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.|
-
-## June 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[How hardware-based containers help protect Windows 10](/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows) | New |
-
-
-## March 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
\ No newline at end of file
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 9423de2923..2f95950f32 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,5 +1,5 @@
---
-title: Configure S/MIME for Windows 10
+title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
ms.reviewer:
@@ -19,16 +19,17 @@ ms.date: 07/27/2017
---
-# Configure S/MIME for Windows 10
+# Configure S/MIME for Windows
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
-S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
+S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
## About message encryption
-Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
+Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email.
@@ -48,7 +49,7 @@ A digitally signed message reassures the recipient that the message hasn't been
On the device, perform the following steps: (add select certificate)
-1. Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.)
+1. Open the Mail app.
2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index 8d3185afd9..5e6d9befec 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -22,6 +22,7 @@ ms.reviewer:
- Windows 11
- Windows Server 2016
- Windows Server 2019
+- Windows Server 2022
```powershell
# Script to find out if a machine is Device Guard compliant.
@@ -780,7 +781,7 @@ function CheckOSSKU
function CheckOSArchitecture
{
- $OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
+ $OSArch = $(Get-WmiObject win32_operatingsystem).OSArchitecture.ToLower()
Log $OSArch
if($OSArch -match ("^64\-?\s?bit"))
{
@@ -818,9 +819,9 @@ function CheckSecureBootState
function CheckVirtualization
{
- $_vmmExtension = $(gwmi -Class Win32_processor).VMMonitorModeExtensions
- $_vmFirmwareExtension = $(gwmi -Class Win32_processor).VirtualizationFirmwareEnabled
- $_vmHyperVPresent = (gcim -Class Win32_ComputerSystem).HypervisorPresent
+ $_vmmExtension = $(Get-WMIObject -Class Win32_processor).VMMonitorModeExtensions
+ $_vmFirmwareExtension = $(Get-WMIObject -Class Win32_processor).VirtualizationFirmwareEnabled
+ $_vmHyperVPresent = (Get-CimInstance -Class Win32_ComputerSystem).HypervisorPresent
Log "VMMonitorModeExtensions $_vmmExtension"
Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension"
Log "HyperVisorPresent $_vmHyperVPresent"
@@ -1046,7 +1047,7 @@ if(!$TestForAdmin)
exit
}
-$isRunningOnVM = (get-wmiobject win32_computersystem).model
+$isRunningOnVM = (Get-WmiObject win32_computersystem).model
if($isRunningOnVM.Contains("Virtual"))
{
LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization."
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index aa4d0faa2f..8e5fd2f049 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -31,7 +31,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom
Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process.
-The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment).
+The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 80a1ca91b3..4e7d1f7942 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -50,7 +50,10 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
## Deployment and trust models
-Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*.
+Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*.
+
+> [!NOTE]
+> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 405b6710ad..213b9c9999 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -14,7 +14,7 @@ metadata:
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
- ms.date: 01/14/2021
+ ms.date: 10/15/2021
ms.reviewer:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
@@ -25,6 +25,10 @@ summary: |
sections:
- name: Ignored
questions:
+ - question: What is Windows Hello for Business cloud trust?
+ answer: |
+ Windows Hello for Business cloud trust is a new trust model that is planned to be introduced in early 2022. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+
- question: What about virtual smart cards?
answer: |
Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
@@ -71,7 +75,7 @@ sections:
- question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked?
answer: |
- Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
+ Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
- question: Why does authentication fail immediately after provisioning hybrid key trust?
answer: |
@@ -208,7 +212,7 @@ sections:
- question: Does Windows Hello for Business work with third-party federation servers?
answer: |
- Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
+ Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.
| Protocol | Description |
| :---: | :--- |
@@ -219,4 +223,10 @@ sections:
- question: Does Windows Hello for Business work with Mac and Linux clients?
answer: |
- Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
\ No newline at end of file
+ Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
+ Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms.
+
+ - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
+ answer: |
+ No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD.
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 25b4269de7..29bce3f5dc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -38,7 +38,7 @@ There are two forms of PIN reset called destructive and non-destructive. Destruc
Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider.
>[!IMPORTANT]
->For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to reset their PIN. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
+>For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
### Reset PIN from Settings
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 61eb44f8f8..fba0adf89f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -33,6 +33,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes
> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
Steps you will perform include:
+
- [Prepare Azure AD Connect](#prepare-azure-ad-connect)
- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
@@ -42,12 +43,14 @@ Steps you will perform include:
- [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)
## Requirements
+
You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on.
- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
### High Availability
+
The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
@@ -61,9 +64,11 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u
If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
### Network Requirements
+
All communication occurs securely over port 443.
## Prepare Azure AD Connect
+
Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
@@ -71,100 +76,142 @@ Most environments change the user principal name suffix to match the organizatio
To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
### Verify AAD Connect version
+
Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
1. Open **Synchronization Services** from the **Azure AD Connect** folder.
+
2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
+
3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
### Verify the onPremisesDistinguishedName attribute is synchronized
+
The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.
1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
+
2. Click **Login** and provide Azure credentials
+
3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
+
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
+
## Prepare the Network Device Enrollment Services (NDES) Service Account
### Create the NDES Servers global security group
+
The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**.
+
2. Expand the domain node from the navigation pane.
+
3. Right-click the **Users** container. Hover over **New** and click **Group**.
+
4. Type **NDES Servers** in the **Group Name** text box.
+
5. Click **OK**.
### Add the NDES server to the NDES Servers global security group
+
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**.
+
2. Expand the domain node from the navigation pane.
-3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
+
+3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group**.
+
4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog.
> [!NOTE]
> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
### Create the NDES Service Account
+
The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. In the navigation pane, expand the node that has your domain name. Select **Users**.
+
2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**.
+
3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**.
+
4. Click **Finish**.
> [!IMPORTANT]
> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
### Create the NDES Service User Rights Group Policy object
+
The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy.
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
+
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
3. Right-click **Group Policy object** and select **New**.
+
4. Type **NDES Service Rights** in the name box and click **OK**.
+
5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
+
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+
7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
+
8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
+
9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
+
10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times.
+
11. Close the **Group Policy Management Editor**.
### Configure security for the NDES Service User Rights Group Policy object
+
The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Start the **Group Policy Management Console** (gpmc.msc)
+
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
3. Double-click the **NDES Service User Rights** Group Policy object.
+
4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**.
+
5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
+
6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
### Deploy the NDES Service User Rights Group Policy object
+
The application of the **NDES Service User Rights** Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Start the **Group Policy Management Console** (gpmc.msc)
+
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
+
3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
> [!IMPORTANT]
> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object.
## Prepare Active Directory Certificate Authority
+
You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will
- Configure the certificate authority to let Intune provide validity periods
@@ -173,6 +220,7 @@ You must prepare the public key infrastructure and the issuing certificate autho
- Publish certificate templates
### Configure the certificate authority to let Intune provide validity periods
+
When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template. If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.
> [!NOTE]
@@ -181,54 +229,77 @@ When deploying certificates using Microsoft Intune, you have the option of provi
Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
1. Open an elevated command prompt and type the following command:
- ```
+
+ ```console
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
```
-2. Restart the **Active Directory Certificate Services** service.
+
+1. Restart the **Active Directory Certificate Services** service.
### Create an NDES-Intune authentication certificate template
+
NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.
Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
+
4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
5. On the **Subject** tab, select **Supply in the request**.
+
6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
+
7. On the **Security** tab, click **Add**.
+
8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
+
9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
10. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template
+
During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+
8. On the **Subject** tab, select **Supply in the request**.
+
9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
+
10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
-12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
-13. Close the console.
+
+11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+
+12. Close the console.
### Publish certificate templates
+
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
> [!Important]
@@ -237,73 +308,109 @@ The certificate authority may only issue certificates for certificate templates
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+
5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
6. Close the console.
## Install and Configure the NDES Role
+
This section includes the following topics:
-* Install the Network Device Enrollment Service Role
-* Configure the NDES service account
-* Configure the NDES role and Certificate Templates
-* Create a Web Application Proxy for the Internal NDES URL.
-* Enroll for an NDES-Intune Authentication Certificate
-* Configure the Web Server Certificate for NDES
-* Verify the configuration
+
+- Install the Network Device Enrollment Service Role
+- Configure the NDES service account
+- Configure the NDES role and Certificate Templates
+- Create a Web Application Proxy for the Internal NDES URL.
+- Enroll for an NDES-Intune Authentication Certificate
+- Configure the Web Server Certificate for NDES
+- Verify the configuration
### Install the Network Device Enrollment Services Role
+
Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open **Server Manager** on the NDES server.
+
2. Click **Manage**. Click **Add Roles and Features**.
+
3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
+
+
4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
+
+
Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
- 
+
+ 
+
5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
+
+
6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
+
+
7. Click **Next** on the **Web Server Role (IIS)** page.
+
8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
- * **Web Server > Security > Request Filtering**
- * **Web Server > Application Development > ASP.NET 3.5**.
- * **Web Server > Application Development > ASP.NET 4.5**. .
- * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
- * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+
+ - **Web Server > Security > Request Filtering**
+ - **Web Server > Application Development > ASP.NET 3.5**.
+ - **Web Server > Application Development > ASP.NET 4.5**. .
+ - **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
+ - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+
+
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
+
> [!IMPORTANT]
> .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\
- 
+
+ 
### Configure the NDES service account
+
This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation
#### Add the NDES service account to the IIS_USRS group
+
Sign-in the NDES server with access equivalent to _local administrator_.
1. Start the **Local Users and Groups** management console (`lusrmgr.msc`).
+
2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
+
3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
+
4. Close the management console.
#### Register a Service Principal Name on the NDES Service account
+
Sign-in the NDES server with access equivalent to _Domain Admins_.
1. Open an elevated command prompt.
+
2. Type the following command to register the service principal name
- ```
+
+ ```console
setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
```
+
where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following:
- ```
+
+ ```console
setspn -s http/ndes.corp.contoso.com contoso\ndessvc
```
@@ -313,28 +420,43 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.
#### Configure the NDES Service account for delegation
+
The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
1. Open **Active Directory Users and Computers**
+
2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
+
+
3. Select **Trust this user for delegation to specified services only**.
+
4. Select **Use any authentication protocol**.
+
5. Click **Add**.
+
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**.
+
+
7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
+
8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
+
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
+
+
10. Click **OK**. Close **Active Directory Users and Computers**.
### Configure the NDES Role and Certificate Templates
+
This task configures the NDES role and the certificate templates the NDES server issues.
#### Configure the NDES Role
+
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
> [!NOTE]
@@ -343,25 +465,40 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
1. Click the **Configure Active Directory Certificate Services on the destination server** link.
+
2. On the **Credentials** page, click **Next**.
+
+
3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
+
+
4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
+
+
5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
+
+
6. On the **RA Information**, click **Next**.
+
7. On the **Cryptography for NDES** page, click **Next**.
+
8. Review the **Confirmation** page. Click **Configure**.
+
-8. Click **Close** after the configuration completes.
+
+9. Click **Close** after the configuration completes.
#### Configure Certificate Templates on NDES
+
A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values.
-* Digital Signature
-* Key Encipherment
-* Key Encipherment, Digital Signature
+
+- Digital Signature
+- Key Encipherment
+- Key Encipherment, Digital Signature
Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names.
@@ -378,22 +515,30 @@ If the need arises, you can configure a signature certificate in the encryption
Sign-in to the NDES Server with _local administrator_ equivalent credentials.
1. Open an elevated command prompt.
+
2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+
3. Type the following command:
- ```
+
+ ```console
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
```
+
where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
- ```
+
+ ```console
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
```
+
4. Type **Y** when the command asks for permission to overwrite the existing value.
+
5. Close the command prompt.
> [!IMPORTANT]
> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`).
### Create a Web Application Proxy for the internal NDES URL.
+
Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies.
@@ -403,110 +548,177 @@ Azure AD Application proxies are serviced by lightweight Application Proxy Conne
Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
#### Download and Install the Application Proxy Connector Agent
+
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
+
3. Under **MANAGE**, click **Application proxy**.
+
4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
+
+
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
+
> [!IMPORTANT]
> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
6. Start **AADApplicationProxyConnectorInstaller.exe**.
+
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
+
+
8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
+
+
9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
+
+
10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
#### Create a Connector Group
+
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
+
3. Under **MANAGE**, click **Application proxy**.
+
+
4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
+
+
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
+
6. Click **Save**.
#### Create the Azure Application Proxy
+
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
+
3. Under **MANAGE**, click **Application proxy**.
+
4. Click **Configure an app**.
+
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
+
6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
+
7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+
+
8. Select **Passthrough** from the **Pre Authentication** list.
+
9. Select **NDES WHFB Connectors** from the **Connector Group** list.
+
10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
+
11. Click **Add**.
+
12. Sign-out of the Azure Portal.
> [!IMPORTANT]
> Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate.
### Enroll the NDES-Intune Authentication certificate
+
This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.
Sign-in the NDES server with access equivalent to _local administrators_.
1. Start the Local Computer **Certificate Manager** (certlm.msc).
+
2. Expand the **Personal** node in the navigation pane.
+
3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+
4. Click **Next** on the **Before You Begin** page.
+
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
+
6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
+
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
+
+
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
+
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
-9. Click **Enroll**
-10. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+
+10. Click **Enroll**
+
+11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
### Configure the Web Server Role
+
This task configures the Web Server role on the NDES server to use the server authentication certificate.
Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
+
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
+
-3. Click **Bindings...*** under **Actions**. Click **Add**.
+
+3. Click **Bindings...** under **Actions**. Click **Add**.
+
+
4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
+
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
+
+
6. Select **http** from the **Site Bindings** list. Click **Remove**.
+
7. Click **Close** on the **Site Bindings** dialog box.
+
8. Close **Internet Information Services (IIS) Manager**.
### Verify the configuration
+
This task confirms the TLS configuration for the NDES server.
Sign-in the NDES server with access equivalent to _local administrator_.
#### Disable Internet Explorer Enhanced Security Configuration
+
1. Open **Server Manager**. Click **Local Server** from the navigation pane.
+
2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
+
3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**.
+
4. Close **Server Manager**.
#### Test the NDES web server
+
1. Open **Internet Explorer**.
+
2. In the navigation bar, type
- ```
+
+ ```https
https://[fqdnHostName]/certsrv/mscep/mscep.dll
```
+
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source.
@@ -514,80 +726,118 @@ A web page similar to the following should appear in your web browser. If you d
Confirm the web site uses the server authentication certificate.
+
-
## Configure Network Device Enrollment Services to work with Microsoft Intune
+
You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs.
- Configure NDES to support long URLs
### Configure NDES and HTTP to support long URLs
+
Sign-in the NDES server with access equivalent to _local administrator_.
#### Configure the Default Web Site
+
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
+
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
+
3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
+
+
4. Select **Allow unlisted file name extensions**.
+
5. Select **Allow unlisted verbs**.
+
6. Select **Allow high-bit characters**.
+
7. Type **30000000** in **Maximum allowed content length (Bytes)**.
+
8. Type **65534** in **Maximum URL length (Bytes)**.
+
9. Type **65534** in **Maximum query string (Bytes)**.
+
10. Click **OK**. Close **Internet Information Services (IIS) Manager**.
#### Configure Parameters for HTTP.SYS
+
1. Open an elevated command prompt.
+
2. Run the following commands:
- ```
+
+ ```console
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
```
+
3. Restart the NDES server.
## Download, Install and Configure the Intune Certificate Connector
+
The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
### Download Intune Certificate Connector
+
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
+
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
+
+
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
+
5. Sign-out of the Microsoft Endpoint Manager admin center.
### Install the Intune Certificate Connector
+
Sign-in the NDES server with access equivalent to _domain administrator_.
1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
+
2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
+
3. On the **Microsoft Intune** page, click **Next**.
+
+
4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
+
5. On the **Destination Folder** page, click **Next**.
+
6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
+
+
7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
+
> [!NOTE]
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
+
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
+
> [!NOTE]
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
+
### Configure the Intune Certificate Connector
+
Sign-in the NDES server with access equivalent to _domain administrator_.
1. The **NDES Connector** user interface should be open from the last task.
@@ -596,9 +846,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
> If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
+
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
+
> [!IMPORTANT]
@@ -608,78 +860,119 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
### Configure the NDES Connector for certificate revocation (**Optional**)
+
Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted).
#### Enabling the NDES Service account for revocation
+
Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
1. Start the **Certification Authority** management console.
+
2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
+
3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
+
+
4. Close the **Certification Authority**
#### Enable the NDES Connector for certificate revocation
+
Sign-in the NDES server with access equivalent to _domain administrator_.
1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**).
+
2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
+
+
3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
### Test the NDES Connector
+
Sign-in the NDES server with access equivalent to _domain admin_.
1. Open a command prompt.
+
2. Type the following command to confirm the NDES Connector's last connection time is current.
- ```
+
+ ```console
reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
```
+
3. Close the command prompt.
+
4. Open **Internet Explorer**.
+
5. In the navigation bar, type:
- ```
+
+ ```console
https://[fqdnHostName]/certsrv/mscep/mscep.dll
```
+
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
+
+
6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
### Create an AADJ WHFB Certificate Users Group
+
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
+
3. Click **Groups**. Click **New group**.
+
4. Select **Security** from the **Group type** list.
+
5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**.
+
6. Provide a **Group description**, if applicable.
+
7. Select **Assigned** from the **Membership type** list.
+
+
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
+
9. Click **Create**.
### Create a SCEP Certificate Profile
+
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+
2. Select **Devices**, and then click **Configuration Profiles**.
+
3. Select **Create Profile**.
+
+
4. Select **Windows 10 and later** from the **Platform** list.
+
5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
+
6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
+
7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
+
8. Select **User** as a certificate type.
+
9. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT]
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
+
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
> [!NOTE]
@@ -687,36 +980,56 @@ Sign-in a workstation with access equivalent to a _domain user_.
> If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
+
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
+
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
+
15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
+
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
+
+
17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+
18. Click **Next**.
+
19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile
+
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+
2. Select **Devices**, and then click **Configuration Profiles**.
+
3. Click **WHFB Certificate Enrollment**.
+
4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
+
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
+
+
6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
+
7. Click **Review + Save**, and then **Save**.
You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.
+> [!NOTE]
+> The Passport for Work configuration service provider (CSP) which is used to manage Windows Hello for Business with Mobile Device Management (MDM) contains a policy called UseCertificateForOnPremAuth. This policy is not needed when deploying certificates to Windows Hello for Business users through the instructions outlined in this document and should not be configured. Devices managed with MDM where UseCertificateForOnPremAuth is enabled will fail a prerequisite check for Windows Hello for Business provisioning. This failure will block users from setting up Windows Hello for Business if they don't already have it configured.
+
## Section Review
+
> [!div class="checklist"]
-> * Requirements
-> * Prepare Azure AD Connect
-> * Prepare the Network Device Enrollment Services (NDES) Service Account
-> * Prepare Active Directory Certificate Authority
-> * Install and Configure the NDES Role
-> * Configure Network Device Enrollment Services to work with Microsoft Intune
-> * Download, Install, and Configure the Intune Certificate Connector
-> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
+> - Requirements
+> - Prepare Azure AD Connect
+> - Prepare the Network Device Enrollment Services (NDES) Service Account
+> - Prepare Active Directory Certificate Authority
+> - Install and Configure the NDES Role
+> - Configure Network Device Enrollment Services to work with Microsoft Intune
+> - Download, Install, and Configure the Intune Certificate Connector
+> - Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index b4a6ed10da..b849c9ce8a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -45,7 +45,7 @@ For the most efficient deployment, configure these technologies in order beginni
## Follow the Windows Hello for Business hybrid key trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
+1. [Overview](hello-hybrid-key-trust.md)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 3660d85201..92c2b72d61 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -22,7 +22,7 @@ ms.date: 1/22/2021
This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
-## Cloud Only Deployment
+## Azure AD Cloud Only Deployment
* Windows 10, version 1511 or later, or Windows 11
* Microsoft Azure Account
@@ -35,37 +35,42 @@ This article lists the infrastructure requirements for the different deployment
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
-| Key trustGroup Policy managed | Certificate trustMixed managed | Key trustModern managed | Certificate trustModern managed |
+> [!NOTE]
+> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+
+| Key trust Group Policy managed | Certificate trust Mixed managed | Key trust Modern managed | Certificate trust Modern managed |
| --- | --- | --- | --- |
-| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:** *Minimum:* Windows 10, version 1703 *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).**Azure AD Joined:** Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
+| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:** *Minimum:* Windows 10, version 1703 *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment). **Azure AD Joined:** Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients), andWindows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
-| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter |
+| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients), and Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
+| Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
| Azure Account | Azure Account | Azure Account | Azure Account |
| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect |
| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
> [!Important]
-> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+> - Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
>
-> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+> **Requirements:**
+> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+>
+> - On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+>
+> **Requirements:**
+> - Reset from settings - Windows 10, version 1703, Professional
+> - Reset above lock screen - Windows 10, version 1709, Professional
+> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
## On-premises Deployments
The table shows the minimum requirements for each deployment.
-| Key trust Group Policy managed | Certificate trust Group Policy managed|
+| Key trust Group Policy managed | Certificate trust Group Policy managed|
| --- | --- |
| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema|
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index cd38c11105..33d820a1a7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -70,7 +70,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup
>[!NOTE]
>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
-
+:::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png":::
Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
@@ -81,12 +81,19 @@ Windows Hello helps protect user identities and user credentials. Because the us
## How Windows Hello for Business works: key points
- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
+
- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
+
- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
+
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
+
- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+
- PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
+
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+
- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
For details, see [How Windows Hello for Business works](hello-how-it-works.md).
@@ -97,6 +104,9 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> [!NOTE]
+> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+
## Learn more
[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business)
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 617be85699..8aada054b6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -74,20 +74,22 @@ The hybrid deployment model is for organizations that:
- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
> [!Important]
-> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+>
+> **Requirements:**
+> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
##### On-premises
The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory.
> [!Important]
-> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+>
+> **Requirements:**
+> - Reset from settings - Windows 10, version 1703, Professional
+> - Reset above lock screen - Windows 10, version 1709, Professional
+> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure.
@@ -95,6 +97,9 @@ It's fundamentally important to understand which deployment model to use for a s
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
+> [!NOTE]
+> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index d5c9651f0f..70b89b04ee 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,5 +1,5 @@
---
-title: Smart Card and Remote Desktop Services (Windows 10)
+title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card and Remote Desktop Services
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 63cbad9b26..604f470a49 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Architecture (Windows 10)
+title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Architecture
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index dbcf86ee67..32f79fdf8f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,5 +1,5 @@
---
-title: Certificate Propagation Service (Windows 10)
+title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 08/24/2021
ms.reviewer:
---
# Certificate Propagation Service
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index a220e7e658..7e32d7679f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -1,5 +1,5 @@
---
-title: Certificate Requirements and Enumeration (Windows 10)
+title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Certificate Requirements and Enumeration
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
@@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system.
The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
-| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** |
+| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** |
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CRL distribution point location | Not required | The location must be specified, online, and available, for example: \[1\]CRL Distribution Point Distribution Point Name: Full Name: URL= |
| Key usage | Digital signature | Digital signature |
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index a084d3c132..b65f0ce66c 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Troubleshooting (Windows 10)
+title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Troubleshooting
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index bb93b39cce..b8f7de6f81 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Events (Windows 10)
+title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Events
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 50d2b45bb2..17d490b6d0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Group Policy and Registry Settings (Windows 10)
+title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 11/02/2021
ms.reviewer:
---
# Smart Card Group Policy and Registry Settings
-Applies to: Windows 10, Windows Server 2016
+Applies to: Windows 10, Windows 11, Windows Server 2016 and above
This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
@@ -389,7 +389,7 @@ The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\
| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios. Default value: 00000000 |
| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired. Default value: 00000400 Default key generation parameter: 1024-bit keys |
| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required. Default value: 00000000 |
-| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail. Default value: 000005dc1500 The default timeout for holding transactions to the smart card is 1.5 seconds. |
+| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail. Default value: 000005dc The default timeout for holding transactions to the smart card is 1.5 seconds. |
**Additional registry keys for the smart card KSP**
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 9939c9ec73..05d1dbf771 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -1,5 +1,5 @@
---
-title: How Smart Card Sign-in Works in Windows (Windows 10)
+title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# How Smart Card Sign-in Works in Windows
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 3f72307e25..c52deb3971 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Removal Policy Service (Windows 10)
+title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,17 +12,17 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Removal Policy Service
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016
This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
-The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
**Smart card removal policy service**
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index e4548fc317..ba3e2a4c05 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -1,5 +1,5 @@
---
-title: Smart Cards for Windows Service (Windows 10)
+title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Cards for Windows Service
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
@@ -26,7 +26,7 @@ The Smart Cards for Windows service provides the basic infrastructure for all ot
The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
-```
+```PowerShell
Never notify<
Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
-Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
+Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
@@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl
### Installer detection technology
-Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
+Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
Installer detection only applies to:
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 6f65b3199e..8f6746eee7 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -1,5 +1,5 @@
---
-title: User Account Control Group Policy and registry key settings (Windows 10)
+title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -21,7 +21,8 @@ ms.reviewer:
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
## Group Policy settings
There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
@@ -149,7 +150,7 @@ The options are:
- **Enabled.** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the **Administrators** group to run in Admin Approval Mode.
- **Disabled.** Admin Approval Mode and all related UAC policy settings are disabled.
-**Note** If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+**Note** If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
### User Account Control: Switch to the secure desktop when prompting for elevation
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index a95145abaa..2e221d273c 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -1,5 +1,5 @@
---
-title: User Account Control (Windows 10)
+title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
ms.reviewer:
@@ -14,14 +14,15 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
-ms.date: 07/27/2017
+ms.date: 09/24/2011
---
# User Account Control
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
@@ -29,7 +30,7 @@ UAC allows all users to log on to their computers using a standard user account.
Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
-When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device.
+When an app needs to run with more than standard user rights, UAC allows users to run apps with their administrator token (with administrative groups and privileges) instead of their default, standard user access token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
## Practical applications
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index 793fe303aa..f811afcaa3 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: User Account Control security policy settings (Windows 10)
+title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
ms.reviewer:
@@ -14,13 +14,16 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
---
# User Account Control security policy settings
**Applies to**
- Windows 10
+- Windows 11
+- Windows Server 2016 and above
+
You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
@@ -88,7 +91,7 @@ This policy setting controls whether applications that request to run with a Use
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
- **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
-- **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
## User Account Control: Switch to the secure desktop when prompting for elevation
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index bbb6ddc586..907bcfc24c 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,5 +1,5 @@
---
-title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10)
+title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,16 +8,17 @@ ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
-ms.date: 02/08/2018
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
---
# How to configure Diffie Hellman protocol over IKEv2 VPN connections
->Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10
+>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10, Windows 11
+
+In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
-In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
## VPN server
@@ -28,7 +29,7 @@ For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-V
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
```
-On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
+On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
```powershell
Set-VpnServerIPsecConfiguration -CustomPolicy
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index 21c295bad1..510a5a9e76 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,12 +1,12 @@
---
-title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10)
+title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 2c0a581e8d..77824138a9 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -1,5 +1,5 @@
---
-title: VPN authentication options (Windows 10)
+title: VPN authentication options (Windows 10 and Windows 11)
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.author: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
@@ -27,7 +27,7 @@ Windows supports a number of EAP authentication methods.
Method
Details
EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)
User name and password authentication
Winlogon credentials - can specify authentication with computer sign-in credentials
-
EAP-Transport Layer Security (EAP-TLS)
Supports the following types of certificate authentication
Certificate with keys in the software Key Storage Provider (KSP)
Certificate with keys in Trusted Platform Module (TPM) KSP
Smart card certficates
Windows Hello for Business certificate
Certificate filtering
Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
Server validation - with TLS, server validation can be toggled on or off
Server name - specify the server to validate
Server certificate - trusted root certificate to validate the server
Notification - specify if the user should get a notification asking whether to trust the server or not
+
EAP-Transport Layer Security (EAP-TLS)
Supports the following types of certificate authentication
Certificate with keys in the software Key Storage Provider (KSP)
Certificate with keys in Trusted Platform Module (TPM) KSP
Smart card certificates
Windows Hello for Business certificate
Certificate filtering
Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
Server validation - with TLS, server validation can be toggled on or off
Server name - specify the server to validate
Server certificate - trusted root certificate to validate the server
Notification - specify if the user should get a notification asking whether to trust the server or not
Server validation - with PEAP, server validation can be toggled on or off
Server name - specify the server to validate
Server certificate - trusted root certificate to validate the server
Notification - specify if the user should get a notification asking whether to trust the server or not
Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication
EAP-MSCHAPv2
EAP-TLS
Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
Tunneled Transport Layer Security (TTLS)
Inner method
Non-EAP
Password Authentication Protocol (PAP)
CHAP
MSCHAP
MSCHAPv2
EAP
MSCHAPv2
TLS
Server validation: in TTLS, the server must be validated. The following can be configured:
Server name
Trusted root certificate for server certificate
Whether there should be a server validation notification
@@ -62,4 +62,4 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
+- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 44b05da541..128afcfee9 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -1,13 +1,13 @@
---
-title: VPN auto-triggered profile options (Windows 10)
-description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource.
+title: VPN auto-triggered profile options (Windows 10 and Windows 11)
+description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,9 +17,9 @@ ms.author: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
+In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
- App trigger
- Name-based trigger
@@ -31,7 +31,7 @@ In Windows 10, a number of features were added to auto-trigger VPN so users won
## App trigger
-VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
+VPN profiles in Windows 10 or Windows 11 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
@@ -54,7 +54,7 @@ There are four types of name-based triggers:
## Always On
-Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
+Always On is a feature in Windows 10 and Windows 11 which enables the active VPN profile to connect automatically on the following triggers:
- User sign-in
- Network change
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 66baa88e46..068d41d1a5 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -1,5 +1,5 @@
---
-title: VPN and conditional access (Windows 10)
+title: VPN and conditional access (Windows 10 and Windows 11)
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,12 +10,12 @@ ms.author: dansimp
manager: dansimp
ms.reviewer:
ms.localizationpriority: medium
-ms.date: 03/21/2019
+ms.date: 09/23/2021
---
# VPN and conditional access
->Applies to: Windows 10 and Windows 10 Mobile
+>Applies to: Windows 10 and Windows 11
The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
@@ -91,7 +91,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
-1. The VPN client calls into Windows 10’s Azure AD Token Broker, identifying itself as a VPN client.
+1. The VPN client calls into Windows 10’s or Windows 11’s Azure AD Token Broker, identifying itself as a VPN client.
2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
@@ -110,6 +110,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
- [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
- [Control the health of Windows 10-based devices](../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+- Control the health of Windows 11-based devices
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 465f79924f..90b1a56b41 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -1,5 +1,5 @@
---
-title: VPN connection types (Windows 10)
+title: VPN connection types (Windows 10 and Windows 11)
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
-ms.date: 11/13/2020
+ms.date: 08/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,11 +17,11 @@ ms.author: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
-There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
+There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
@@ -56,7 +56,7 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
## Universal Windows Platform VPN plug-in
-The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
+The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 51eda0028d..3f23cadc79 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -1,25 +1,26 @@
---
-title: Windows 10 VPN technical guide (Windows 10)
-description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment.
+title: Windows VPN technical guide (Windows 10 and Windows 11)
+description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
-ms.date: 11/13/2020
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
---
-# Windows 10 VPN technical guide
+# Windows VPN technical guide
**Applies to**
- Windows 10
+- Windows 11
-This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
+This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11.
To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10).
@@ -42,4 +43,4 @@ To create a Windows 10 VPN device configuration profile see: [Windows 10 and Win
## Learn more
-- [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure)
\ No newline at end of file
+- [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure)
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index 70cec8d554..a61584597c 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -1,5 +1,5 @@
---
-title: VPN name resolution (Windows 10)
+title: VPN name resolution (Windows 10 and Windows 11)
description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.author: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index 5c4221a574..562a872615 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -1,5 +1,5 @@
---
-title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
+title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,20 +9,20 @@ audience: ITPro
ms.topic: article
author: kelleyvice-msft
ms.localizationpriority: medium
-ms.date: 04/07/2020
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: jajo
---
-# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
+# Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client
-This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
+This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
-This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.
+This can be achieved for the native/built-in Windows 10 and Windows 11 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.
> [!NOTE]
-> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration).
+> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 and Windows 11 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration).
## Solution Overview
@@ -30,7 +30,7 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer
Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](./vpn-profile-options.md#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune).
-To enable the use of force tunneling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section:
+To enable the use of force tunneling in Windows 10 or Windows 11 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section:
```xml
ForceTunnel
@@ -90,13 +90,13 @@ An example of a PowerShell script that can be used to update a force tunnel VPN
<#
.SYNOPSIS
- Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile
+ Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 and Windows 11 VPN profile
.DESCRIPTION
Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges
Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file)
Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name
.PARAMETERS
- Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format
+ Filename and path for a supplied Windows 10 or Windows 11 VPN profile file in either PowerShell or XML format
.NOTES
Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later
.VERSION
@@ -430,6 +430,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
This solution is supported with the following versions of Windows:
+- Windows 11
- Windows 10 1903/1909 and newer: Included, no action needed
- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481)
- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437)
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 96eae8c6ac..8e683158b9 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -1,6 +1,6 @@
---
-title: VPN profile options (Windows 10)
-description: Windows 10 adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
+title: VPN profile options (Windows 10 and Windows 11)
+description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
ms.reviewer:
manager: dansimp
@@ -18,9 +18,9 @@ ms.date: 05/17/2018
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
+Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
>[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first.
@@ -56,7 +56,7 @@ The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN prof
The following is a sample Native VPN profile. This blob would fall under the ProfileXML node.
-```
+```xml
TestVpnProfile
@@ -222,7 +222,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro
The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
-```
+```xml
TestVpnProfile
@@ -294,26 +294,38 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr
Helloworld.Com
-
```
## Apply ProfileXML using Intune
-After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
+After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 or Windows 11 Desktop and Mobile and later)** policy.
1. Sign into the [Azure portal](https://portal.azure.com).
+
2. Go to **Intune** > **Device Configuration** > **Profiles**.
+
3. Click **Create Profile**.
+
4. Enter a name and (optionally) a description.
+
5. Choose **Windows 10 and later** as the platform.
+
6. Choose **Custom** as the profile type and click **Add**.
+
8. Enter a name and (optionally) a description.
+
9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**.
+
10. Set Data type to **String (XML file)**.
+
11. Upload the profile XML file.
+
12. Click **OK**.
+
+
13. Click **OK**, then **Create**.
+
14. Assign the profile.
@@ -332,4 +344,4 @@ After you configure the settings that you want using ProfileXML, you can apply i
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
\ No newline at end of file
+- [VPN security features](vpn-security-features.md)
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index ea0cb1c3ae..5c2b3d00e1 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -1,5 +1,5 @@
---
-title: VPN routing decisions (Windows 10)
+title: VPN routing decisions (Windows 10 and Windows 10)
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.author: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index c84ab32cb0..88d9c1dfba 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -1,5 +1,5 @@
---
-title: VPN security features (Windows 10)
+title: VPN security features (Windows 10 and Windows 11)
description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/03/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,14 +17,14 @@ ms.author: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
## Windows Information Protection (WIP) integration with VPN
Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
-The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
+The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 or Windows 11 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
- Core functionality: File encryption and file access blocking
- UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 62a4cf6cf0..3a8d6e6ed0 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -1,6 +1,6 @@
---
-title: Windows 10 Credential Theft Mitigation Guide Abstract (Windows 10)
-description: Provides a summary of the Windows 10 credential theft mitigation guide.
+title: Windows Credential Theft Mitigation Guide Abstract
+description: Provides a summary of the Windows credential theft mitigation guide.
ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a
ms.reviewer:
ms.prod: w10
@@ -17,12 +17,12 @@ ms.localizationpriority: medium
ms.date: 04/19/2017
---
-# Windows 10 Credential Theft Mitigation Guide Abstract
+# Windows Credential Theft Mitigation Guide Abstract
**Applies to**
- Windows 10
-This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
+This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
- Identify high-value assets
diff --git a/windows/security/identity.md b/windows/security/identity.md
new file mode 100644
index 0000000000..0cfa07beba
--- /dev/null
+++ b/windows/security/identity.md
@@ -0,0 +1,27 @@
+---
+title: Windows identity and user security
+description: Get an overview of identity security in Windows 11 and Windows 10
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: dansimp
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows identity and user security
+
+Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations.
+
+| Security capabilities | Description |
+|:---|:---|
+| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) |
+| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)|
+| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). |
+| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). |
+| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).|
+| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).|
\ No newline at end of file
diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png
new file mode 100644
index 0000000000..e062b0d292
Binary files /dev/null and b/windows/security/images/windows-security-app-w11.png differ
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
index ec183caa51..cf62bf3732 100644
--- a/windows/security/includes/microsoft-defender.md
+++ b/windows/security/includes/microsoft-defender.md
@@ -1,6 +1,6 @@
---
-title: Microsoft Defender important guidance
-description: A note in regard to important Microsoft Defender guidance.
+title: Microsoft 365 Defender important guidance
+description: A note in regard to important Microsoft 365 Defender guidance.
ms.date:
ms.reviewer:
manager: dansimp
@@ -11,4 +11,4 @@ ms.topic: include
---
> [!IMPORTANT]
-> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](/microsoft-365/security/mtp/overview-security-center).
\ No newline at end of file
+> The improved [Microsoft 365 Defender portal](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. [Learn what's new](/microsoft-365/security/mtp/overview-security-center).
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 4a5558a16d..debbf67a5a 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -1,38 +1,170 @@
-### YamlMime:Hub
+### YamlMime:Landing
-title: Windows 10 Enterprise Security # < 60 chars
-summary: Secure corporate data and manage risk. # < 160 chars
-# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin
-brand: windows
+title: Windows security # < 60 chars
+summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive. # < 160 chars
metadata:
- title: Windows 10 Enterprise Security # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Learn about enterprise-grade security features for Windows 10. # Required; article description that is displayed in search results. < 160 chars.
- services: windows
+ title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars.
+ ms.topic: landing-page # Required
ms.prod: windows
- ms.topic: hub-page # Required
- ms.collection: M365-security-compliance # Optional; Remove if no collection is used.
+ ms.collection: m365-security-compliance
author: dansimp #Required; your GitHub user alias, with correct capitalization.
ms.author: dansimp #Required; microsoft alias of author; optional team alias.
- ms.date: 01/08/2018 #Required; mm/dd/yyyy format.
- ms.localizationpriority: high
+ ms.date: 09/20/2021
+ localization_priority: Priority
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: Zero Trust and Windows
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: zero-trust-windows-device-health.md
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: Hardware security
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: hardware.md
+ - linkListType: concept
+ links:
+ - text: Trusted Platform Module
+ url: information-protection/tpm/trusted-platform-module-top-node.md
+ - text: Windows Defender System Guard firmware protection
+ url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+ - text: System Guard Secure Launch and SMM protection enablement
+ url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+ - text: Virtualization-based protection of code integrity
+ url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+ - text: Kernel DMA Protection
+ url: information-protection/kernel-dma-protection-for-thunderbolt.md
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: Operating system security
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: operating-system.md
+ - linkListType: concept
+ links:
+ - text: System security
+ url: trusted-boot.md
+ - text: Encryption and data protection
+ url: encryption-data-protection.md
+ - text: Windows security baselines
+ url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+ - text: Virtual private network guide
+ url: identity-protection/vpn/vpn-guide.md
+ - text: Windows Defender Firewall
+ url: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+ - text: Virus & threat protection
+ url: threat-protection/index.md
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: Application security
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: apps.md
+ - linkListType: concept
+ links:
+ - text: Application Control and virtualization-based protection
+ url: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+ - text: Application Control
+ url: threat-protection/windows-defender-application-control/windows-defender-application-control.md
+ - text: Application Guard
+ url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+ - text: Windows Sandbox
+ url: threat-protection/windows-sandbox/windows-sandbox-overview.md
+ - text: Microsoft Defender SmartScreen
+ url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+ - text: S/MIME for Windows
+ url: identity-protection/configure-s-mime.md
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: User security and secured identity
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: identity.md
+ - linkListType: concept
+ links:
+ - text: Windows Hello for Business
+ url: identity-protection/hello-for-business/hello-overview.md
+ - text: Windows Credential Theft Mitigation
+ url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+ - text: Protect domain credentials
+ url: identity-protection/credential-guard/credential-guard.md
+ - text: Windows Defender Credential Guard
+ url: identity-protection/credential-guard/credential-guard.md
+ - text: Lost or forgotten passwords
+ url: identity-protection/password-support-policy.md
+ - text: Access control
+ url: identity-protection/access-control/access-control.md
+ - text: Smart cards
+ url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: Cloud services
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: cloud.md
+ - linkListType: concept
+ links:
+ - text: Mobile device management
+ url: https://docs.microsoft.com/windows/client-management/mdm/
+ - text: Azure Active Directory
+ url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory
+ - text: Your Microsoft Account
+ url: identity-protection/access-control/microsoft-accounts.md
+ - text: OneDrive
+ url: https://docs.microsoft.com/onedrive/onedrive
+ - text: Family safety
+ url: threat-protection/windows-defender-security-center/wdsc-family-options.md
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: Security foundations
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: security-foundations.md
+ - linkListType: reference
+ links:
+ - text: Microsoft Security Development Lifecycle
+ url: threat-protection/msft-security-dev-lifecycle.md
+ - text: Microsoft Bug Bounty
+ url: threat-protection/microsoft-bug-bounty-program.md
+ - text: Common Criteria Certifications
+ url: threat-protection/windows-platform-common-criteria.md
+ - text: Federal Information Processing Standard (FIPS) 140 Validation
+ url: threat-protection/fips-140-validation.md
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: Privacy controls
+ linkLists:
+ - linkListType: reference
+ links:
+ - text: Windows and Privacy Compliance
+ url: /windows/privacy/windows-10-and-privacy-compliance
-# productDirectory section (optional)
-productDirectory:
- items:
- # Card
- - title: Identity and access management
- # imageSrc should be square in ratio with no whitespace
- imageSrc: https://docs.microsoft.com/media/common/i_identity-protection.svg
- summary: Deploy secure enterprise-grade authentication and access control to protect accounts and data
- url: ./identity-protection/index.md
- # Card
- - title: Threat protection
- imageSrc: https://docs.microsoft.com/media/common/i_threat-protection.svg
- summary: Stop cyberthreats and quickly identify and respond to breaches
- url: ./threat-protection/index.md
- # Card
- - title: Information protection
- imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg
- summary: Identify and secure critical data to prevent data loss
- url: ./information-protection/index.md
\ No newline at end of file
diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml
deleted file mode 100644
index bcaa9d74d7..0000000000
--- a/windows/security/information-protection/TOC.yml
+++ /dev/null
@@ -1,149 +0,0 @@
-- name: Information protection
- href: index.md
- items:
- - name: BitLocker
- href: bitlocker\bitlocker-overview.md
- items:
- - name: Overview of BitLocker Device Encryption in Windows 10
- href: bitlocker\bitlocker-device-encryption-overview-windows-10.md
- - name: BitLocker frequently asked questions (FAQ)
- href: bitlocker\bitlocker-frequently-asked-questions.yml
- items:
- - name: Overview and requirements
- href: bitlocker\bitlocker-overview-and-requirements-faq.yml
- - name: Upgrading
- href: bitlocker\bitlocker-upgrading-faq.yml
- - name: Deployment and administration
- href: bitlocker\bitlocker-deployment-and-administration-faq.yml
- - name: Key management
- href: bitlocker\bitlocker-key-management-faq.yml
- - name: BitLocker To Go
- href: bitlocker\bitlocker-to-go-faq.yml
- - name: Active Directory Domain Services
- href: bitlocker\bitlocker-and-adds-faq.yml
- - name: Security
- href: bitlocker\bitlocker-security-faq.yml
- - name: BitLocker Network Unlock
- href: bitlocker\bitlocker-network-unlock-faq.yml
- - name: General
- href: bitlocker\bitlocker-using-with-other-programs-faq.yml
- - name: "Prepare your organization for BitLocker: Planning and policies"
- href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md
- - name: BitLocker deployment comparison
- href: bitlocker\bitlocker-deployment-comparison.md
- - name: BitLocker basic deployment
- href: bitlocker\bitlocker-basic-deployment.md
- - name: "BitLocker: How to deploy on Windows Server 2012 and later"
- href: bitlocker\bitlocker-how-to-deploy-on-windows-server.md
- - name: "BitLocker: Management for enterprises"
- href: bitlocker\bitlocker-management-for-enterprises.md
- - name: "BitLocker: How to enable Network Unlock"
- href: bitlocker\bitlocker-how-to-enable-network-unlock.md
- - name: "BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker"
- href: bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
- - name: "BitLocker: Use BitLocker Recovery Password Viewer"
- href: bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md
- - name: BitLocker Group Policy settings
- href: bitlocker\bitlocker-group-policy-settings.md
- - name: BCD settings and BitLocker
- href: bitlocker\bcd-settings-and-bitlocker.md
- - name: BitLocker Recovery Guide
- href: bitlocker\bitlocker-recovery-guide-plan.md
- - name: BitLocker Countermeasures
- href: bitlocker\bitlocker-countermeasures.md
- - name: Protecting cluster shared volumes and storage area networks with BitLocker
- href: bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
- - name: Troubleshoot BitLocker
- items:
- - name: Troubleshoot BitLocker
- href: bitlocker\troubleshoot-bitlocker.md
- - name: "BitLocker cannot encrypt a drive: known issues"
- href: bitlocker\ts-bitlocker-cannot-encrypt-issues.md
- - name: "Enforcing BitLocker policies by using Intune: known issues"
- href: bitlocker\ts-bitlocker-intune-issues.md
- - name: "BitLocker Network Unlock: known issues"
- href: bitlocker\ts-bitlocker-network-unlock-issues.md
- - name: "BitLocker recovery: known issues"
- href: bitlocker\ts-bitlocker-recovery-issues.md
- - name: "BitLocker configuration: known issues"
- href: bitlocker\ts-bitlocker-config-issues.md
- - name: Troubleshoot BitLocker and TPM issues
- items:
- - name: "BitLocker cannot encrypt a drive: known TPM issues"
- href: bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md
- - name: "BitLocker and TPM: other known issues"
- href: bitlocker\ts-bitlocker-tpm-issues.md
- - name: Decode Measured Boot logs to track PCR changes
- href: bitlocker\ts-bitlocker-decode-measured-boot-logs.md
- - name: Encrypted Hard Drive
- href: encrypted-hard-drive.md
- - name: Kernel DMA Protection
- href: kernel-dma-protection-for-thunderbolt.md
- - name: Protect your enterprise data using Windows Information Protection (WIP)
- href: windows-information-protection\protect-enterprise-data-using-wip.md
- items:
- - name: Create a WIP policy using Microsoft Intune
- href: windows-information-protection\overview-create-wip-policy.md
- items:
- - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune
- href: windows-information-protection\create-wip-policy-using-intune-azure.md
- items:
- - name: Deploy your WIP policy using the Azure portal for Microsoft Intune
- href: windows-information-protection\deploy-wip-policy-using-intune-azure.md
- - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune
- href: windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md
- - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
- href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md
- - name: Determine the Enterprise Context of an app running in WIP
- href: windows-information-protection\wip-app-enterprise-context.md
- - name: Create a WIP policy using Microsoft Endpoint Configuration Manager
- href: windows-information-protection\overview-create-wip-policy-configmgr.md
- items:
- - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager
- href: windows-information-protection\create-wip-policy-using-configmgr.md
- - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
- href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md
- - name: Determine the Enterprise Context of an app running in WIP
- href: windows-information-protection\wip-app-enterprise-context.md
- - name: Mandatory tasks and settings required to turn on WIP
- href: windows-information-protection\mandatory-settings-for-wip.md
- - name: Testing scenarios for WIP
- href: windows-information-protection\testing-scenarios-for-wip.md
- - name: Limitations while using WIP
- href: windows-information-protection\limitations-with-wip.md
- - name: How to collect WIP audit event logs
- href: windows-information-protection\collect-wip-audit-event-logs.md
- - name: General guidance and best practices for WIP
- href: windows-information-protection\guidance-and-best-practices-wip.md
- items:
- - name: Enlightened apps for use with WIP
- href: windows-information-protection\enlightened-microsoft-apps-and-wip.md
- - name: Unenlightened and enlightened app behavior while using WIP
- href: windows-information-protection\app-behavior-with-wip.md
- - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP
- href: windows-information-protection\recommended-network-definitions-for-wip.md
- - name: Using Outlook Web Access with WIP
- href: windows-information-protection\using-owa-with-wip.md
- - name: Fine-tune WIP Learning
- href: windows-information-protection\wip-learning.md
- - name: Secure the Windows 10 boot process
- href: secure-the-windows-10-boot-process.md
- - name: Trusted Platform Module
- href: tpm/trusted-platform-module-top-node.md
- items:
- - name: Trusted Platform Module Overview
- href: tpm/trusted-platform-module-overview.md
- - name: TPM fundamentals
- href: tpm/tpm-fundamentals.md
- - name: How Windows 10 uses the TPM
- href: tpm/how-windows-uses-the-tpm.md
- - name: TPM Group Policy settings
- href: tpm/trusted-platform-module-services-group-policy-settings.md
- - name: Back up the TPM recovery information to AD DS
- href: tpm/backup-tpm-recovery-information-to-ad-ds.md
- - name: View status, clear, or troubleshoot the TPM
- href: tpm/initialize-and-configure-ownership-of-the-tpm.md
- - name: Understanding PCR banks on TPM 2.0 devices
- href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md
- - name: TPM recommendations
- href: tpm/tpm-recommendations.md
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index 34a70a7698..3c10de8372 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -72,7 +72,8 @@ For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f
Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
-> **Note:** Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
+> [!NOTE]
+> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
### Default BCD validation profile
@@ -109,7 +110,9 @@ The following table contains the default BCD validation profile used by BitLocke
### Full list of friendly names for ignored BCD settings
This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked.
-> **Note:** Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
+
+> [!NOTE]
+> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
| Hex Value | Prefix | Friendly Name |
| - | - | - |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 5582a89d66..9a77ca4317 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -190,8 +190,8 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
-
Name
-
Parameters
+
Name
+
Parameters
Add-BitLockerKeyProtector
@@ -388,8 +388,9 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
> [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature.
->
-> **Tip:** In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
+
+> [!TIP]
+> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index fd212875f8..bc8488a920 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -69,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
-
+>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index d58028caea..4f375c0d85 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -53,6 +53,7 @@ A good practice when using manage-bde is to determine the volume status on the t
```powershell
manage-bde -status
```
+
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
@@ -64,7 +65,8 @@ manage-bde –protectors -add C: -startupkey E:
manage-bde -on C:
```
->**Note:** After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
+> [!NOTE]
+> After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
@@ -102,7 +104,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
->**Tip:** If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
+> [!TIP]
+> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
@@ -110,7 +113,8 @@ The Repair-bde command-line tool is intended for use when the operating system d
- Windows does not start, or you cannot start the BitLocker recovery console.
- You do not have a copy of the data that is contained on the encrypted drive.
->**Note:** Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
+> [!NOTE]
+> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
The following limitations exist for Repair-bde:
@@ -128,11 +132,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-
-
-
Name
-
Parameters
+
+
+
Name
+
Parameters
+
+
Add-BitLockerKeyProtector
-ADAccountOrGroup
@@ -251,10 +257,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
+
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet.
+
The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details.
->**Tip:** Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
+> [!TIP]
+> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
`Get-BitLockerVolume C: | fl`
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
@@ -274,7 +283,8 @@ By using this information, you can then remove the key protector for a specific
Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
```
->**Note:** The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
+> [!NOTE]
+> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
@@ -302,11 +312,13 @@ $pw = Read-Host -AsSecureString
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
+
### Using an AD Account or Group protector in Windows PowerShell
The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
->**Warning:** The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
+> [!WARNING]
+> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
@@ -316,13 +328,15 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
->**Note:** Use of this command requires the RSAT-AD-PowerShell feature.
+> [!NOTE]
+> Use of this command requires the RSAT-AD-PowerShell feature.
```powershell
get-aduser -filter {samaccountname -eq "administrator"}
```
->**Tip:** In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
+> [!TIP]
+> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
@@ -330,7 +344,8 @@ The following example adds an **ADAccountOrGroup** protector to the previously e
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
```
->**Note:** Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
+> [!NOTE]
+> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
## More information
@@ -338,4 +353,4 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
\ No newline at end of file
+- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index f8dc37af5a..f2ed14e623 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -41,6 +41,7 @@ This issue may be caused by settings that are controlled by Group Policy Objects
To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey:
+
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
1. Delete the following entries:
@@ -55,9 +56,13 @@ To resolve this issue, follow these steps:
You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
+
1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
+
1. Follow the instructions on the page to enter your password.
+
1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
+
1. The **Starting encryption** page displays the message "Access is denied."
You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.
@@ -72,13 +77,13 @@ To verify that this issue has occurred, follow these steps:
1. At the command prompt, enter the following command:
- ```cmd
+ ```console
C:\>sc sdshow bdesvc
```
The output of this command resembles the following:
- > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+ > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
@@ -95,7 +100,7 @@ To verify that this issue has occurred, follow these steps:
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
- ```ps
+ ```powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
index 6b1ee39717..4142982e69 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
@@ -158,7 +158,7 @@ For more information and recommendations about backing up virtualized domain con
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
-```
+```console
\# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.
@@ -166,7 +166,7 @@ When the VSS NTDS writer requests access to the encrypted drive, the Local Secur
The operation produces the following call stack:
-```
+```console
\# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index 276b174efd..9c0af342bc 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -55,7 +55,8 @@ To install the tool, follow these steps:
To use TBSLogGenerator, follow these steps:
-1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
+1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
+
**C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
This folder contains the TBSLogGenerator.exe file.
@@ -63,9 +64,11 @@ To use TBSLogGenerator, follow these steps:
1. Run the following command:
- ```cmd
+
+ ```console
TBSLogGenerator.exe -LF \.log > \.txt
```
+
where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
@@ -74,7 +77,7 @@ To use TBSLogGenerator, follow these steps:
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
- ```cmd
+ ```console
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
@@ -84,12 +87,12 @@ To use TBSLogGenerator, follow these steps:
-The content of this text file resembles the following.
-
-
-
-To find the PCR information, go to the end of the file.
-
+ The content of this text file resembles the following.
+
+ 
+
+ To find the PCR information, go to the end of the file.
+
## Use PCPTool to decode Measured Boot logs
@@ -102,7 +105,8 @@ PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.micros
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
To decode a log, run the following command:
-```cmd
+
+```console
PCPTool.exe decodelog \.log > \.xml
```
@@ -114,4 +118,4 @@ where the variables represent the following values:
The content of the XML file resembles the following.
-
+:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 13b4676a20..44ad76e76b 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -20,7 +20,7 @@ ms.custom: bitlocker
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
-
+:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
@@ -104,10 +104,11 @@ The procedures described in this section depend on the default disk partitions t
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
-```
+```console
diskpart
list volume
```
+
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
@@ -118,16 +119,17 @@ If the status of any of the volumes is not healthy or if the recovery partition
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
-```cmd
+```console
reagentc /info
```
+
The output of this command resembles the following.
If the **Windows RE status** is not **Enabled**, run the following command to enable it:
-```cmd
+```console
reagentc /enable
```
@@ -135,13 +137,13 @@ reagentc /enable
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
-```cmd
+```console
bcdedit /enum all
```
The output of this command resembles the following.
-
+:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
@@ -162,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B
To verify the BIOS mode, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
+
1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
+
+
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
+
> [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@@ -186,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
-```cmd
+```console
Manage-bde -protectors -get %systemdrive%
```
@@ -203,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc
To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
+
1. Verify that the **Secure Boot State** setting is **On**, as follows:
+
+
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
+
> [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
+>
> ```ps
> PS C:\> Confirm-SecureBootUEFI
> ```
+>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
>
> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
index aa70c53412..110aad6465 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@@ -49,7 +49,7 @@ You can use either of the following methods to manually back up or synchronize a
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
- ```cmd
+ ```console
manage-bde -protectors -adbackup C:
```
@@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a
You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
-```cmd
+```console
Manage-bde -forcerecovery
```
@@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows.
To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select **Skip this drive**.
+
1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
-1. In the Command Prompt window, run the following commands :
- ```cmd
+
+1. In the Command Prompt window, run the following commands:
+
+ ```console
manage-bde –unlock C: -rp <48-digit BitLocker recovery password>
manage-bde -protectors -disable C:
+
```
+
1. Close the Command Prompt window.
+
1. Shut down the device.
+
1. Start the device. Windows should start as usual.
## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
@@ -115,7 +122,7 @@ Devices that support Connected Standby (also known as *InstantGO* or *Always On,
To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
-```cmd
+```console
manage-bde.exe -protectors -get :
```
@@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if
To do this, follow these steps:
1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
+
1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
+
1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
+
1. When you are prompted, select the following items:
+
1. Your operating system language.
+
1. Your keyboard layout.
+
1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
+
1. In the Command Prompt window, run the following commands:
- ```cmd
+
+ ```console
manage-bde -unlock -recoverypassword :
manage-bde -protectors -disable :
+
```
+
In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
+
> [!NOTE]
> For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
+
1. Restart the computer.
+
1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
> [!NOTE]
@@ -155,11 +175,15 @@ To do this, follow these steps:
To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
1. At the command prompt, run the following command:
- ```cmd
+
+ ```console
manage-bde -unlock -recoverypassword :
```
+
In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
+
1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.
+
> [!NOTE]
> For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands).
@@ -172,30 +196,42 @@ To prevent this issue from recurring, we strongly recommend that you restore t
To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
- ```ps
+
+ ```powershell
Suspend-BitLocker -MountPoint ":" -RebootCount 0
```
+
In this command, <*DriveLetter*> is the letter that is assigned to your drive.
+
1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
+
1. Restart the device.
+
1. Open an elevated PowerShell window, and run the following cmdlet:
- ```ps
+
+ ```powershell
Resume-BitLocker -MountPoint ":"
```
To reset the PCR settings on the TPM, follow these steps:
1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
+
For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md).
+
1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
- ```ps
+
+ ```powershell
Suspend-BitLocker -MountPoint ":" -RebootCount 0
```
where <*DriveLetter*> is the letter assigned to your drive.
+
1. Run the following cmdlet:
- ```ps
+
+ ```powershell
Resume-BitLocker -MountPoint ":"
+ ```
#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
@@ -209,13 +245,19 @@ You can avoid this scenario when you install updates to system firmware or TPM f
To suspend BitLocker while you install TPM or UEFI firmware updates:
1. Open an elevated Windows PowerShell window, and run the following cmdlet:
- ```ps
+
+ ```powershell
Suspend-BitLocker -MountPoint ":" -RebootCount 0
+
```
+
In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
+
1. Install the Surface device driver and firmware updates.
+
1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:
- ```ps
+
+ ```powershell
Resume-BitLocker -MountPoint ":"
```
@@ -230,22 +272,31 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v
If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
+
1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
+
1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
+
1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
+
1. In the Command Prompt window, run the following commands:
- ```cmd
+
+ ```console
Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
Manage-bde -protectors -disable c:
exit
```
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
+
> [!NOTE]
> These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
+
1. Select **Continue**. Windows should start.
+
1. After Windows has started, open an elevated Command Prompt window and run the following command:
- ```cmd
+
+ ```console
Manage-bde -protectors -enable c:
```
@@ -254,7 +305,7 @@ If your device is already in this state, you can successfully start Windows afte
To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
-```cmd
+```console
Manage-bde -protectors -disable c: -rc 1
```
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index bca11cfd78..e89b66ca77 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -73,11 +73,11 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot
Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
-### Using Security Center
+### Using the Windows Security app
-Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
+Beginning with Windows 10 version 1809, you can use the Windows Security app to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
-
+
### Using System information
@@ -146,4 +146,4 @@ The policy can be enabled by using:
## Related topics
- [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md)
-- [DmaGuard MDM policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
\ No newline at end of file
+- [DmaGuard MDM policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 45659d1cac..a13435b388 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -1,7 +1,7 @@
---
-title: Secure the Windows 10 boot process
-description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications
-keywords: trusted boot, windows 10 boot process
+title: Secure the Windows boot process
+description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications
+keywords: trusted boot, windows boot process
ms.prod: w10
ms.mktglfcycl: Explore
ms.pagetype: security
@@ -12,12 +12,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 11/16/2018
+ms.date:
ms.reviewer:
ms.author: dansimp
---
-# Secure the Windows 10 boot process
+# Secure the Windows boot process
**Applies to:**
- Windows 11
@@ -27,11 +27,11 @@ ms.author: dansimp
The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
-Windows has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
+Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden.
-When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
+When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you.
@@ -61,7 +61,7 @@ Figure 1 shows the Windows startup process.
**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
-Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
+Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot.
@@ -131,4 +131,4 @@ Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to conf
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system.
## Additional resources
-- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise)
+- [Windows Enterprise Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise)
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 038e7da093..3688226a4f 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -23,6 +23,7 @@ The Windows operating system improves most existing security features in the ope
**See also:**
+- [Windows 11 Specifications](https://www.microsoft.com/windows/windows-11-specifications)
- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
@@ -58,9 +59,9 @@ Although CNG sounds like a mundane starting point, it illustrates some of the ad
The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:
-• **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
+- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
-• **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
+- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
@@ -80,12 +81,11 @@ The adoption of new authentication technology requires that identity providers a
Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
-• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
-• **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
-
-
+- **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
+:::image type="content" alt-text="TPM Capabilities." source="images/tpm-capabilities.png" lightbox="images/tpm-capabilities.png":::
*Figure 1: TPM Cryptographic Key Management*
For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned.
@@ -96,9 +96,9 @@ BitLocker provides full-volume encryption to protect data at rest. The most comm
In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
-• **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
-• **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
+- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
@@ -122,12 +122,11 @@ TPM measurements are designed to avoid recording any privacy-sensitive informati
The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
-• **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
+- **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
-
-
+:::image type="content" alt-text="Process to Create Evidence of Boot Software and Configuration Using TPM." source="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png" lightbox="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png":::
*Figure 2: Process used to create evidence of boot software and configuration using a TPM*
@@ -149,17 +148,18 @@ The resulting solution provides defense in depth, because even if malware runs i
The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
+
|Feature | Benefits when used on a system with a TPM|
|---|---|
-| Platform Crypto Provider | • If the machine is compromised, the private key associated with the certificate cannot be copied off the device. • The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
-| Virtual Smart Card | • Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.|
-| Windows Hello for Business | • Credentials provisioned on a device cannot be copied elsewhere. • Confirm a device’s TPM before credentials are provisioned. |
-| BitLocker Drive Encryption | • Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
-|Device Encryption | • With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
-| Measured Boot | • A hardware root of trust contains boot measurements that help detect malware during remote attestation.
-| Health Attestation | • MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
-| Credential Guard | • Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
+| Platform Crypto Provider |
If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
|
+| Virtual Smart Card |
Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
|
+| Windows Hello for Business |
Credentials provisioned on a device cannot be copied elsewhere.
Confirm a device’s TPM before credentials are provisioned.
|
+| BitLocker Drive Encryption |
Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
|
+|Device Encryption |
With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
|
+| Measured Boot |
A hardware root of trust contains boot measurements that help detect malware during remote attestation.
|
+| Health Attestation |
MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
|
+| Credential Guard |
Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
|
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index e401d19506..c5a7d50e68 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -32,7 +32,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a
- Generate, store, and limit the use of cryptographic keys.
-- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
+- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it.
- Help ensure platform integrity by taking and storing security measurements.
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
new file mode 100644
index 0000000000..310538cbee
--- /dev/null
+++ b/windows/security/operating-system.md
@@ -0,0 +1,44 @@
+---
+title: Windows operating system security
+description: Securing the operating system includes system security, encryption, network security, and threat protection.
+ms.reviewer:
+ms.topic: article
+manager: dansimp
+ms.author: deniseb
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: denisebmsft
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+ms.date: 09/21/2021
+---
+
+# Windows operating system security
+
+Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
+
+Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
+
+Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.
Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
+Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.
Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).
|
+Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
+| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.
Learn more about [Encryption](encryption-data-protection.md).
+| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.
Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
+| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).
|
+| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.
Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
+| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.
Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).
|
+| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.
Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).
+| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).
Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.
Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
+| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.
Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
+| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
With tamper protection, malware is prevented from taking actions such as: - Disabling virus and threat protection - Disabling real-time protection - Turning off behavior monitoring - Disabling antivirus (such as IOfficeAntivirus (IOAV)) - Disabling cloud-delivered protection - Removing security intelligence updates
Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
+| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.
In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.
Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
+| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.
Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
+| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.
You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
+| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.
Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |
+
diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md
new file mode 100644
index 0000000000..0d118520fc
--- /dev/null
+++ b/windows/security/security-foundations.md
@@ -0,0 +1,33 @@
+---
+title: Windows security foundations
+description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
+ms.reviewer:
+ms.topic: article
+manager: dansimp
+ms.author: deniseb
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: denisebmsft
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows security foundations
+
+Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment.
+
+Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified.
+
+Use the links in the following table to learn more about the security foundations:
+
+| Concept | Description |
+|:---|:---|
+| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.
Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
+| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.
Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). |
+| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).|
+| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.
Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). |
+
+
+
diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml
deleted file mode 100644
index ae12fde723..0000000000
--- a/windows/security/threat-protection/TOC.yml
+++ /dev/null
@@ -1,1410 +0,0 @@
-- name: Threat protection
- href: index.md
- items:
- - name: Next-generation protection with Microsoft Defender Antivirus
- items:
- - name: Microsoft Defender Antivirus overview
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10
- - name: Evaluate Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus
- - name: Configure Microsoft Defender Antivirus
- items:
- - name: Configure Microsoft Defender Antivirus features
- href: /microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features
- - name: Use Microsoft cloud-delivered protection
- href: /microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus
- items:
- - name: Prevent security settings changes with tamper protection
- href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
- - name: Enable Block at first sight
- href: /microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus
- - name: Configure the cloud block timeout period
- href: /microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus
- - name: Configure behavioral, heuristic, and real-time protection
- items:
- - name: Configuration overview
- href: /microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus
- - name: Detect and block Potentially Unwanted Applications
- href: /microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus
- - name: Enable and configure always-on protection and monitoring
- href: /microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus
- - name: Antivirus on Windows Server
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server
- - name: Antivirus compatibility
- items:
- - name: Compatibility charts
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility
- - name: Use limited periodic antivirus scanning
- href: /microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus
- - name: Manage Microsoft Defender Antivirus in your business
- items:
- - name: Management overview
- href: /microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus
- - name: Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus
- - name: Use Group Policy settings to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus
- - name: Use PowerShell cmdlets to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus
- - name: Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus
- - name: Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus
- - name: Deploy, manage updates, and report on Microsoft Defender Antivirus
- items:
- - name: Preparing to deploy
- href: /microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus
- - name: Deploy and enable Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus
- - name: Deployment guide for VDI environments
- href: /microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus
- - name: Report on antivirus protection
- - name: Review protection status and alerts
- href: /microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus
- - name: Troubleshoot antivirus reporting in Update Compliance
- href: /microsoft-365/security/defender-endpoint/troubleshoot-reporting
- - name: Learn about the recent updates
- href: /microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus
- - name: Manage protection and security intelligence updates
- href: /microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus
- - name: Manage when protection updates should be downloaded and applied
- href: /microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus
- - name: Manage updates for endpoints that are out of date
- href: /microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus
- - name: Manage event-based forced updates
- href: /microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus
- - name: Manage updates for mobile devices and VMs
- href: /microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus
- - name: Customize, initiate, and review the results of scans and remediation
- items:
- - name: Configuration overview
- href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus
- - name: Configure and validate exclusions in antivirus scans
- href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus
- - name: Configure and validate exclusions based on file name, extension, and folder location
- href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus
- - name: Configure and validate exclusions for files opened by processes
- href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
- - name: Configure antivirus exclusions Windows Server
- href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus
- - name: Common mistakes when defining exclusions
- href: /microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus
- - name: Configure scanning antivirus options
- href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus
- - name: Configure remediation for scans
- href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus
- - name: Configure scheduled scans
- href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus
- - name: Configure and run scans
- href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus
- - name: Review scan results
- href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus
- - name: Run and review the results of an offline scan
- href: /microsoft-365/security/defender-endpoint//microsoft-defender-offline
- - name: Restore quarantined files
- href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus
- - name: Manage scans and remediation
- items:
- - name: Management overview
- href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus
- - name: Configure and validate exclusions in antivirus scans
- - name: Exclusions overview
- href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus
- - name: Configure and validate exclusions based on file name, extension, and folder location
- href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus
- - name: Configure and validate exclusions for files opened by processes
- href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
- - name: Configure antivirus exclusions on Windows Server
- href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus
- - name: Configure scanning options
- href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus
- - name: Configure remediation for scans
- href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus
- items:
- - name: Configure scheduled scans
- href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus
- - name: Configure and run scans
- href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus
- - name: Review scan results
- href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus
- - name: Run and review the results of an offline scan
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-offline
- - name: Restore quarantined files
- href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus
- - name: Troubleshoot Microsoft Defender Antivirus
- items:
- - name: Troubleshoot Microsoft Defender Antivirus issues
- href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
- - name: Troubleshoot Microsoft Defender Antivirus migration issues
- href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating
- - name: "Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint"
- href: /microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus
- - name: "Better together: Microsoft Defender Antivirus and Office 365"
- href: /microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus
- - name: Hardware-based isolation
- items:
- - name: Hardware-based isolation evaluation
- href: microsoft-defender-application-guard/test-scenarios-md-app-guard.md
- - name: Application isolation
- items:
- - name: Application guard overview
- href: microsoft-defender-application-guard/md-app-guard-overview.md
- - name: System requirements
- href: microsoft-defender-application-guard/reqs-md-app-guard.md
- - name: Install Microsoft Defender Application Guard
- href: microsoft-defender-application-guard/install-md-app-guard.md
- - name: Install Microsoft Defender Application Guard Extension
- href: microsoft-defender-application-guard/md-app-guard-browser-extension.md
- - name: Application control
- href: windows-defender-application-control/windows-defender-application-control.md
- items:
- - name: Audit Application control policies
- href: windows-defender-application-control/audit-windows-defender-application-control-policies.md
- - name: System isolation
- href: windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
- - name: System integrity
- href: windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
- - name: Code integrity
- href: device-guard/enable-virtualization-based-protection-of-code-integrity.md
- - name: Network firewall
- items:
- - name: Network firewall overview
- href: windows-firewall/windows-firewall-with-advanced-security.md
- - name: Network firewall evaluation
- href: windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
- - name: Security intelligence
- href: intelligence/index.md
- items:
- - name: Understand malware & other threats
- href: intelligence/understanding-malware.md
- items:
- - name: Prevent malware infection
- href: intelligence/prevent-malware-infection.md
- - name: Malware names
- href: intelligence/malware-naming.md
- - name: Coin miners
- href: intelligence/coinminer-malware.md
- - name: Exploits and exploit kits
- href: intelligence/exploits-malware.md
- - name: Fileless threats
- href: intelligence/fileless-threats.md
- - name: Macro malware
- href: intelligence/macro-malware.md
- - name: Phishing
- href: intelligence/phishing.md
- - name: Ransomware
- href: /security/compass/human-operated-ransomware
- - name: Rootkits
- href: intelligence/rootkits-malware.md
- - name: Supply chain attacks
- href: intelligence/supply-chain-malware.md
- - name: Tech support scams
- href: intelligence/support-scams.md
- - name: Trojans
- href: intelligence/trojans-malware.md
- - name: Unwanted software
- href: intelligence/unwanted-software.md
- - name: Worms
- href: intelligence/worms-malware.md
- - name: How Microsoft identifies malware and PUA
- href: intelligence/criteria.md
- - name: Submit files for analysis
- href: intelligence/submission-guide.md
- - name: Safety Scanner download
- href: intelligence/safety-scanner-download.md
- - name: Industry collaboration programs
- href: intelligence/cybersecurity-industry-partners.md
- items:
- - name: Virus information alliance
- href: intelligence/virus-information-alliance-criteria.md
- - name: Microsoft virus initiative
- href: intelligence/virus-initiative-criteria.md
- - name: Coordinated malware eradication
- href: intelligence/coordinated-malware-eradication.md
- - name: Information for developers
- items:
- - name: Software developer FAQ
- href: intelligence/developer-faq.yml
- - name: Software developer resources
- href: intelligence/developer-resources.md
- - name: The Windows Security app
- href: windows-defender-security-center/windows-defender-security-center.md
- items:
- - name: Customize the Windows Security app for your organization
- href: windows-defender-security-center/wdsc-customize-contact-information.md
- - name: Hide Windows Security app notifications
- href: windows-defender-security-center/wdsc-hide-notifications.md
- - name: Manage Windows Security app in Windows 10 in S mode
- href: windows-defender-security-center/wdsc-windows-10-in-s-mode.md
- - name: Virus and threat protection
- href: windows-defender-security-center/wdsc-virus-threat-protection.md
- - name: Account protection
- href: windows-defender-security-center/wdsc-account-protection.md
- - name: Firewall and network protection
- href: windows-defender-security-center/wdsc-firewall-network-protection.md
- - name: App and browser control
- href: windows-defender-security-center/wdsc-app-browser-control.md
- - name: Device security
- href: windows-defender-security-center/wdsc-device-security.md
- - name: Device performance and health
- href: windows-defender-security-center/wdsc-device-performance-health.md
- items:
- - name: Family options
- href: windows-defender-security-center/wdsc-family-options.md
- - name: Microsoft Defender SmartScreen
- href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
- items:
- - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
- href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
- - name: Set up and use Microsoft Defender SmartScreen on individual devices
- href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
- - name: Windows Sandbox
- href: windows-sandbox/windows-sandbox-overview.md
- items:
- - name: Windows Sandbox architecture
- href: windows-sandbox/windows-sandbox-architecture.md
- - name: Windows Sandbox configuration
- href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- - name: "Windows Defender Application Control and virtualization-based protection of code integrity"
- href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- - name: Windows Certifications
- items:
- - name: FIPS 140 Validations
- href: fips-140-validation.md
- - name: Common Criteria Certifications
- href: windows-platform-common-criteria.md
- - name: More Windows 10 security
- items:
- - name: Control the health of Windows 10-based devices
- href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
- - name: Mitigate threats by using Windows 10 security features
- href: overview-of-threat-mitigations-in-windows-10.md
- - name: Override Process Mitigation Options to help enforce app-related security policies
- href: override-mitigation-options-for-app-related-security-policies.md
- - name: Use Windows Event Forwarding to help with intrusion detection
- href: use-windows-event-forwarding-to-assist-in-intrusion-detection.md
- - name: Block untrusted fonts in an enterprise
- href: block-untrusted-fonts-in-enterprise.md
- - name: Security auditing
- href: auditing/security-auditing-overview.md
- items:
- - name: Basic security audit policies
- href: auditing/basic-security-audit-policies.md
- items:
- - name: Create a basic audit policy for an event category
- href: auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
- - name: Apply a basic audit policy on a file or folder
- href: auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
- - name: View the security event log
- href: auditing/view-the-security-event-log.md
- - name: Basic security audit policy settings
- href: auditing/basic-security-audit-policy-settings.md
- items:
- - name: Audit account logon events
- href: auditing/basic-audit-account-logon-events.md
- - name: Audit account management
- href: auditing/basic-audit-account-management.md
- - name: Audit directory service access
- href: auditing/basic-audit-directory-service-access.md
- - name: Audit logon events
- href: auditing/basic-audit-logon-events.md
- - name: Audit object access
- href: auditing/basic-audit-object-access.md
- - name: Audit policy change
- href: auditing/basic-audit-policy-change.md
- - name: Audit privilege use
- href: auditing/basic-audit-privilege-use.md
- - name: Audit process tracking
- href: auditing/basic-audit-process-tracking.md
- - name: Audit system events
- href: auditing/basic-audit-system-events.md
- - name: Advanced security audit policies
- href: auditing/advanced-security-auditing.md
- items:
- - name: Planning and deploying advanced security audit policies
- href: auditing/planning-and-deploying-advanced-security-audit-policies.md
- - name: Advanced security auditing FAQ
- href: auditing/advanced-security-auditing-faq.yml
- items:
- - name: Which editions of Windows support advanced audit policy configuration
- href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
- - name: How to list XML elements in \
- href: auditing/how-to-list-xml-elements-in-eventdata.md
- - name: Using advanced security auditing options to monitor dynamic access control objects
- href: auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
- items:
- - name: Monitor the central access policies that apply on a file server
- href: auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
- - name: Monitor the use of removable storage devices
- href: auditing/monitor-the-use-of-removable-storage-devices.md
- - name: Monitor resource attribute definitions
- href: auditing/monitor-resource-attribute-definitions.md
- - name: Monitor central access policy and rule definitions
- href: auditing/monitor-central-access-policy-and-rule-definitions.md
- - name: Monitor user and device claims during sign-in
- href: auditing/monitor-user-and-device-claims-during-sign-in.md
- - name: Monitor the resource attributes on files and folders
- href: auditing/monitor-the-resource-attributes-on-files-and-folders.md
- - name: Monitor the central access policies associated with files and folders
- href: auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
- - name: Monitor claim types
- href: auditing/monitor-claim-types.md
- - name: Advanced security audit policy settings
- href: auditing/advanced-security-audit-policy-settings.md
- items:
- - name: Audit Credential Validation
- href: auditing/audit-credential-validation.md
- - name: "Event 4774 S, F: An account was mapped for logon."
- href: auditing/event-4774.md
- - name: "Event 4775 F: An account could not be mapped for logon."
- href: auditing/event-4775.md
- - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account."
- href: auditing/event-4776.md
- - name: "Event 4777 F: The domain controller failed to validate the credentials for an account."
- href: auditing/event-4777.md
- - name: Audit Kerberos Authentication Service
- href: auditing/audit-kerberos-authentication-service.md
- items:
- - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested."
- href: auditing/event-4768.md
- - name: "Event 4771 F: Kerberos pre-authentication failed."
- href: auditing/event-4771.md
- - name: "Event 4772 F: A Kerberos authentication ticket request failed."
- href: auditing/event-4772.md
- - name: Audit Kerberos Service Ticket Operations
- href: auditing/audit-kerberos-service-ticket-operations.md
- items:
- - name: "Event 4769 S, F: A Kerberos service ticket was requested."
- href: auditing/event-4769.md
- - name: "Event 4770 S: A Kerberos service ticket was renewed."
- href: auditing/event-4770.md
- - name: "Event 4773 F: A Kerberos service ticket request failed."
- href: auditing/event-4773.md
- - name: Audit Other Account Logon Events
- href: auditing/audit-other-account-logon-events.md
- - name: Audit Application Group Management
- href: auditing/audit-application-group-management.md
- - name: Audit Computer Account Management
- href: auditing/audit-computer-account-management.md
- items:
- - name: "Event 4741 S: A computer account was created."
- href: auditing/event-4741.md
- - name: "Event 4742 S: A computer account was changed."
- href: auditing/event-4742.md
- - name: "Event 4743 S: A computer account was deleted."
- href: auditing/event-4743.md
- - name: Audit Distribution Group Management
- href: auditing/audit-distribution-group-management.md
- items:
- - name: "Event 4749 S: A security-disabled global group was created."
- href: auditing/event-4749.md
- - name: "Event 4750 S: A security-disabled global group was changed."
- href: auditing/event-4750.md
- - name: "Event 4751 S: A member was added to a security-disabled global group."
- href: auditing/event-4751.md
- - name: "Event 4752 S: A member was removed from a security-disabled global group."
- href: auditing/event-4752.md
- - name: "Event 4753 S: A security-disabled global group was deleted."
- href: auditing/event-4753.md
- - name: Audit Other Account Management Events
- href: auditing/audit-other-account-management-events.md
- items:
- - name: "Event 4782 S: The password hash of an account was accessed."
- href: auditing/event-4782.md
- - name: "Event 4793 S: The Password Policy Checking API was called."
- href: auditing/event-4793.md
- - name: Audit Security Group Management
- href: auditing/audit-security-group-management.md
- items:
- - name: "Event 4731 S: A security-enabled local group was created."
- href: auditing/event-4731.md
- - name: "Event 4732 S: A member was added to a security-enabled local group."
- href: auditing/event-4732.md
- - name: "Event 4733 S: A member was removed from a security-enabled local group."
- href: auditing/event-4733.md
- - name: "Event 4734 S: A security-enabled local group was deleted."
- href: auditing/event-4734.md
- - name: "Event 4735 S: A security-enabled local group was changed."
- href: auditing/event-4735.md
- - name: "Event 4764 S: A group�s type was changed."
- href: auditing/event-4764.md
- - name: "Event 4799 S: A security-enabled local group membership was enumerated."
- href: auditing/event-4799.md
- - name: Audit User Account Management
- href: auditing/audit-user-account-management.md
- items:
- - name: "Event 4720 S: A user account was created."
- href: auditing/event-4720.md
- - name: "Event 4722 S: A user account was enabled."
- href: auditing/event-4722.md
- - name: "Event 4723 S, F: An attempt was made to change an account's password."
- href: auditing/event-4723.md
- - name: "Event 4724 S, F: An attempt was made to reset an account's password."
- href: auditing/event-4724.md
- - name: "Event 4725 S: A user account was disabled."
- href: auditing/event-4725.md
- - name: "Event 4726 S: A user account was deleted."
- href: auditing/event-4726.md
- - name: "Event 4738 S: A user account was changed."
- href: auditing/event-4738.md
- - name: "Event 4740 S: A user account was locked out."
- href: auditing/event-4740.md
- - name: "Event 4765 S: SID History was added to an account."
- href: auditing/event-4765.md
- - name: "Event 4766 F: An attempt to add SID History to an account failed."
- href: auditing/event-4766.md
- - name: "Event 4767 S: A user account was unlocked."
- href: auditing/event-4767.md
- - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups."
- href: auditing/event-4780.md
- - name: "Event 4781 S: The name of an account was changed."
- href: auditing/event-4781.md
- - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password."
- href: auditing/event-4794.md
- - name: "Event 4798 S: A user's local group membership was enumerated."
- href: auditing/event-4798.md
- - name: "Event 5376 S: Credential Manager credentials were backed up."
- href: auditing/event-5376.md
- - name: "Event 5377 S: Credential Manager credentials were restored from a backup."
- href: auditing/event-5377.md
- - name: Audit DPAPI Activity
- href: auditing/audit-dpapi-activity.md
- items:
- - name: "Event 4692 S, F: Backup of data protection master key was attempted."
- href: auditing/event-4692.md
- - name: "Event 4693 S, F: Recovery of data protection master key was attempted."
- href: auditing/event-4693.md
- - name: "Event 4694 S, F: Protection of auditable protected data was attempted."
- href: auditing/event-4694.md
- - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted."
- href: auditing/event-4695.md
- - name: Audit PNP Activity
- href: auditing/audit-pnp-activity.md
- items:
- - name: "Event 6416 S: A new external device was recognized by the System."
- href: auditing/event-6416.md
- - name: "Event 6419 S: A request was made to disable a device."
- href: auditing/event-6419.md
- - name: "Event 6420 S: A device was disabled."
- href: auditing/event-6420.md
- - name: "Event 6421 S: A request was made to enable a device."
- href: auditing/event-6421.md
- - name: "Event 6422 S: A device was enabled."
- href: auditing/event-6422.md
- - name: "Event 6423 S: The installation of this device is forbidden by system policy."
- href: auditing/event-6423.md
- - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy."
- href: auditing/event-6424.md
- - name: Audit Process Creation
- href: auditing/audit-process-creation.md
- items:
- - name: "Event 4688 S: A new process has been created."
- href: auditing/event-4688.md
- - name: "Event 4696 S: A primary token was assigned to process."
- href: auditing/event-4696.md
- - name: Audit Process Termination
- href: auditing/audit-process-termination.md
- items:
- - name: "Event 4689 S: A process has exited."
- href: auditing/event-4689.md
- - name: Audit RPC Events
- href: auditing/audit-rpc-events.md
- items:
- - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted."
- href: auditing/event-5712.md
- - name: Audit Token Right Adjusted
- href: auditing/audit-token-right-adjusted.md
- items:
- - name: "Event 4703 S: A user right was adjusted."
- href: auditing/event-4703.md
- - name: Audit Detailed Directory Service Replication
- href: auditing/audit-detailed-directory-service-replication.md
- items:
- - name: "Event 4928 S, F: An Active Directory replica source naming context was established."
- href: auditing/event-4928.md
- - name: "Event 4929 S, F: An Active Directory replica source naming context was removed."
- href: auditing/event-4929.md
- - name: "Event 4930 S, F: An Active Directory replica source naming context was modified."
- href: auditing/event-4930.md
- - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified."
- href: auditing/event-4931.md
- - name: "Event 4934 S: Attributes of an Active Directory object were replicated."
- href: auditing/event-4934.md
- - name: "Event 4935 F: Replication failure begins."
- href: auditing/event-4935.md
- - name: "Event 4936 S: Replication failure ends."
- href: auditing/event-4936.md
- - name: "Event 4937 S: A lingering object was removed from a replica."
- href: auditing/event-4937.md
- - name: Audit Directory Service Access
- href: auditing/audit-directory-service-access.md
- items:
- - name: "Event 4662 S, F: An operation was performed on an object."
- href: auditing/event-4662.md
- - name: "Event 4661 S, F: A handle to an object was requested."
- href: auditing/event-4661.md
- - name: Audit Directory Service Changes
- href: auditing/audit-directory-service-changes.md
- items:
- - name: "Event 5136 S: A directory service object was modified."
- href: auditing/event-5136.md
- - name: "Event 5137 S: A directory service object was created."
- href: auditing/event-5137.md
- - name: "Event 5138 S: A directory service object was undeleted."
- href: auditing/event-5138.md
- - name: "Event 5139 S: A directory service object was moved."
- href: auditing/event-5139.md
- - name: "Event 5141 S: A directory service object was deleted."
- href: auditing/event-5141.md
- - name: Audit Directory Service Replication
- href: auditing/audit-directory-service-replication.md
- items:
- - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun."
- href: auditing/event-4932.md
- - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended."
- href: auditing/event-4933.md
- - name: Audit Account Lockout
- href: auditing/audit-account-lockout.md
- items:
- - name: "Event 4625 F: An account failed to log on."
- href: auditing/event-4625.md
- - name: Audit User/Device Claims
- href: auditing/audit-user-device-claims.md
- items:
- - name: "Event 4626 S: User/Device claims information."
- href: auditing/event-4626.md
- - name: Audit Group Membership
- href: auditing/audit-group-membership.md
- items:
- - name: "Event 4627 S: Group membership information."
- href: auditing/event-4627.md
- - name: Audit IPsec Extended Mode
- href: auditing/audit-ipsec-extended-mode.md
- - name: Audit IPsec Main Mode
- href: auditing/audit-ipsec-main-mode.md
- - name: Audit IPsec Quick Mode
- href: auditing/audit-ipsec-quick-mode.md
- - name: Audit Logoff
- href: auditing/audit-logoff.md
- items:
- - name: "Event 4634 S: An account was logged off."
- href: auditing/event-4634.md
- - name: "Event 4647 S: User initiated logoff."
- href: auditing/event-4647.md
- - name: Audit Logon
- href: auditing/audit-logon.md
- items:
- - name: "Event 4624 S: An account was successfully logged on."
- href: auditing/event-4624.md
- - name: "Event 4625 F: An account failed to log on."
- href: auditing/event-4625.md
- - name: "Event 4648 S: A logon was attempted using explicit credentials."
- href: auditing/event-4648.md
- - name: "Event 4675 S: SIDs were filtered."
- href: auditing/event-4675.md
- - name: Audit Network Policy Server
- href: auditing/audit-network-policy-server.md
- - name: Audit Other Logon/Logoff Events
- href: auditing/audit-other-logonlogoff-events.md
- items:
- - name: "Event 4649 S: A replay attack was detected."
- href: auditing/event-4649.md
- - name: "Event 4778 S: A session was reconnected to a Window Station."
- href: auditing/event-4778.md
- - name: "Event 4779 S: A session was disconnected from a Window Station."
- href: auditing/event-4779.md
- - name: "Event 4800 S: The workstation was locked."
- href: auditing/event-4800.md
- - name: "Event 4801 S: The workstation was unlocked."
- href: auditing/event-4801.md
- - name: "Event 4802 S: The screen saver was invoked."
- href: auditing/event-4802.md
- - name: "Event 4803 S: The screen saver was dismissed."
- href: auditing/event-4803.md
- - name: "Event 5378 F: The requested credentials delegation was disallowed by policy."
- href: auditing/event-5378.md
- - name: "Event 5632 S, F: A request was made to authenticate to a wireless network."
- href: auditing/event-5632.md
- - name: "Event 5633 S, F: A request was made to authenticate to a wired network."
- href: auditing/event-5633.md
- - name: Audit Special Logon
- href: auditing/audit-special-logon.md
- items:
- - name: "Event 4964 S: Special groups have been assigned to a new logon."
- href: auditing/event-4964.md
- - name: "Event 4672 S: Special privileges assigned to new logon."
- href: auditing/event-4672.md
- - name: Audit Application Generated
- href: auditing/audit-application-generated.md
- - name: Audit Certification Services
- href: auditing/audit-certification-services.md
- - name: Audit Detailed File Share
- href: auditing/audit-detailed-file-share.md
- items:
- - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access."
- href: auditing/event-5145.md
- - name: Audit File Share
- href: auditing/audit-file-share.md
- items:
- - name: "Event 5140 S, F: A network share object was accessed."
- href: auditing/event-5140.md
- - name: "Event 5142 S: A network share object was added."
- href: auditing/event-5142.md
- - name: "Event 5143 S: A network share object was modified."
- href: auditing/event-5143.md
- - name: "Event 5144 S: A network share object was deleted."
- href: auditing/event-5144.md
- - name: "Event 5168 F: SPN check for SMB/SMB2 failed."
- href: auditing/event-5168.md
- - name: Audit File System
- href: auditing/audit-file-system.md
- items:
- - name: "Event 4656 S, F: A handle to an object was requested."
- href: auditing/event-4656.md
- - name: "Event 4658 S: The handle to an object was closed."
- href: auditing/event-4658.md
- - name: "Event 4660 S: An object was deleted."
- href: auditing/event-4660.md
- - name: "Event 4663 S: An attempt was made to access an object."
- href: auditing/event-4663.md
- - name: "Event 4664 S: An attempt was made to create a hard link."
- href: auditing/event-4664.md
- - name: "Event 4985 S: The state of a transaction has changed."
- href: auditing/event-4985.md
- - name: "Event 5051: A file was virtualized."
- href: auditing/event-5051.md
- - name: "Event 4670 S: Permissions on an object were changed."
- href: auditing/event-4670.md
- - name: Audit Filtering Platform Connection
- href: auditing/audit-filtering-platform-connection.md
- items:
- - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network."
- href: auditing/event-5031.md
- - name: "Event 5150: The Windows Filtering Platform blocked a packet."
- href: auditing/event-5150.md
- - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet."
- href: auditing/event-5151.md
- - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections."
- href: auditing/event-5154.md
- - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections."
- href: auditing/event-5155.md
- - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection."
- href: auditing/event-5156.md
- - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection."
- href: auditing/event-5157.md
- - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port."
- href: auditing/event-5158.md
- - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port."
- href: auditing/event-5159.md
- - name: Audit Filtering Platform Packet Drop
- href: auditing/audit-filtering-platform-packet-drop.md
- items:
- - name: "Event 5152 F: The Windows Filtering Platform blocked a packet."
- href: auditing/event-5152.md
- - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet."
- href: auditing/event-5153.md
- - name: Audit Handle Manipulation
- href: auditing/audit-handle-manipulation.md
- items:
- - name: "Event 4690 S: An attempt was made to duplicate a handle to an object."
- href: auditing/event-4690.md
- - name: Audit Kernel Object
- href: auditing/audit-kernel-object.md
- items:
- - name: "Event 4656 S, F: A handle to an object was requested."
- href: auditing/event-4656.md
- - name: "Event 4658 S: The handle to an object was closed."
- href: auditing/event-4658.md
- - name: "Event 4660 S: An object was deleted."
- href: auditing/event-4660.md
- - name: "Event 4663 S: An attempt was made to access an object."
- href: auditing/event-4663.md
- - name: Audit Other Object Access Events
- href: auditing/audit-other-object-access-events.md
- items:
- - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS."
- href: auditing/event-4671.md
- - name: "Event 4691 S: Indirect access to an object was requested."
- href: auditing/event-4691.md
- - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."
- href: auditing/event-5148.md
- - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed."
- href: auditing/event-5149.md
- - name: "Event 4698 S: A scheduled task was created."
- href: auditing/event-4698.md
- - name: "Event 4699 S: A scheduled task was deleted."
- href: auditing/event-4699.md
- - name: "Event 4700 S: A scheduled task was enabled."
- href: auditing/event-4700.md
- - name: "Event 4701 S: A scheduled task was disabled."
- href: auditing/event-4701.md
- - name: "Event 4702 S: A scheduled task was updated."
- href: auditing/event-4702.md
- - name: "Event 5888 S: An object in the COM+ Catalog was modified."
- href: auditing/event-5888.md
- - name: "Event 5889 S: An object was deleted from the COM+ Catalog."
- href: auditing/event-5889.md
- - name: "Event 5890 S: An object was added to the COM+ Catalog."
- href: auditing/event-5890.md
- - name: Audit Registry
- href: auditing/audit-registry.md
- items:
- - name: "Event 4663 S: An attempt was made to access an object."
- href: auditing/event-4663.md
- - name: "Event 4656 S, F: A handle to an object was requested."
- href: auditing/event-4656.md
- - name: "Event 4658 S: The handle to an object was closed."
- href: auditing/event-4658.md
- - name: "Event 4660 S: An object was deleted."
- href: auditing/event-4660.md
- - name: "Event 4657 S: A registry value was modified."
- href: auditing/event-4657.md
- - name: "Event 5039: A registry key was virtualized."
- href: auditing/event-5039.md
- - name: "Event 4670 S: Permissions on an object were changed."
- href: auditing/event-4670.md
- - name: Audit Removable Storage
- href: auditing/audit-removable-storage.md
- - name: Audit SAM
- href: auditing/audit-sam.md
- items:
- - name: "Event 4661 S, F: A handle to an object was requested."
- href: auditing/event-4661.md
- - name: Audit Central Access Policy Staging
- href: auditing/audit-central-access-policy-staging.md
- items:
- - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy."
- href: auditing/event-4818.md
- - name: Audit Audit Policy Change
- href: auditing/audit-audit-policy-change.md
- items:
- - name: "Event 4670 S: Permissions on an object were changed."
- href: auditing/event-4670.md
- - name: "Event 4715 S: The audit policy, SACL, on an object was changed."
- href: auditing/event-4715.md
- - name: "Event 4719 S: System audit policy was changed."
- href: auditing/event-4719.md
- - name: "Event 4817 S: Auditing settings on object were changed."
- href: auditing/event-4817.md
- - name: "Event 4902 S: The Per-user audit policy table was created."
- href: auditing/event-4902.md
- - name: "Event 4906 S: The CrashOnAuditFail value has changed."
- href: auditing/event-4906.md
- - name: "Event 4907 S: Auditing settings on object were changed."
- href: auditing/event-4907.md
- - name: "Event 4908 S: Special Groups Logon table modified."
- href: auditing/event-4908.md
- - name: "Event 4912 S: Per User Audit Policy was changed."
- href: auditing/event-4912.md
- - name: "Event 4904 S: An attempt was made to register a security event source."
- href: auditing/event-4904.md
- - name: "Event 4905 S: An attempt was made to unregister a security event source."
- href: auditing/event-4905.md
- - name: Audit Authentication Policy Change
- href: auditing/audit-authentication-policy-change.md
- items:
- - name: "Event 4706 S: A new trust was created to a domain."
- href: auditing/event-4706.md
- - name: "Event 4707 S: A trust to a domain was removed."
- href: auditing/event-4707.md
- - name: "Event 4716 S: Trusted domain information was modified."
- href: auditing/event-4716.md
- - name: "Event 4713 S: Kerberos policy was changed."
- href: auditing/event-4713.md
- - name: "Event 4717 S: System security access was granted to an account."
- href: auditing/event-4717.md
- - name: "Event 4718 S: System security access was removed from an account."
- href: auditing/event-4718.md
- - name: "Event 4739 S: Domain Policy was changed."
- href: auditing/event-4739.md
- - name: "Event 4864 S: A namespace collision was detected."
- href: auditing/event-4864.md
- - name: "Event 4865 S: A trusted forest information entry was added."
- href: auditing/event-4865.md
- - name: "Event 4866 S: A trusted forest information entry was removed."
- href: auditing/event-4866.md
- - name: "Event 4867 S: A trusted forest information entry was modified."
- href: auditing/event-4867.md
- - name: Audit Authorization Policy Change
- href: auditing/audit-authorization-policy-change.md
- items:
- - name: "Event 4703 S: A user right was adjusted."
- href: auditing/event-4703.md
- - name: "Event 4704 S: A user right was assigned."
- href: auditing/event-4704.md
- - name: "Event 4705 S: A user right was removed."
- href: auditing/event-4705.md
- - name: "Event 4670 S: Permissions on an object were changed."
- href: auditing/event-4670.md
- - name: "Event 4911 S: Resource attributes of the object were changed."
- href: auditing/event-4911.md
- - name: "Event 4913 S: Central Access Policy on the object was changed."
- href: auditing/event-4913.md
- - name: Audit Filtering Platform Policy Change
- href: auditing/audit-filtering-platform-policy-change.md
- - name: Audit MPSSVC Rule-Level Policy Change
- href: auditing/audit-mpssvc-rule-level-policy-change.md
- items:
- - name: "Event 4944 S: The following policy was active when the Windows Firewall started."
- href: auditing/event-4944.md
- - name: "Event 4945 S: A rule was listed when the Windows Firewall started."
- href: auditing/event-4945.md
- - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added."
- href: auditing/event-4946.md
- - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified."
- href: auditing/event-4947.md
- - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted."
- href: auditing/event-4948.md
- - name: "Event 4949 S: Windows Firewall settings were restored to the default values."
- href: auditing/event-4949.md
- - name: "Event 4950 S: A Windows Firewall setting has changed."
- href: auditing/event-4950.md
- - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall."
- href: auditing/event-4951.md
- - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced."
- href: auditing/event-4952.md
- - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed."
- href: auditing/event-4953.md
- - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied."
- href: auditing/event-4954.md
- - name: "Event 4956 S: Windows Firewall has changed the active profile."
- href: auditing/event-4956.md
- - name: "Event 4957 F: Windows Firewall did not apply the following rule."
- href: auditing/event-4957.md
- - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer."
- href: auditing/event-4958.md
- - name: Audit Other Policy Change Events
- href: auditing/audit-other-policy-change-events.md
- items:
- - name: "Event 4714 S: Encrypted data recovery policy was changed."
- href: auditing/event-4714.md
- - name: "Event 4819 S: Central Access Policies on the machine have been changed."
- href: auditing/event-4819.md
- - name: "Event 4826 S: Boot Configuration Data loaded."
- href: auditing/event-4826.md
- - name: "Event 4909: The local policy settings for the TBS were changed."
- href: auditing/event-4909.md
- - name: "Event 4910: The group policy settings for the TBS were changed."
- href: auditing/event-4910.md
- - name: "Event 5063 S, F: A cryptographic provider operation was attempted."
- href: auditing/event-5063.md
- - name: "Event 5064 S, F: A cryptographic context operation was attempted."
- href: auditing/event-5064.md
- - name: "Event 5065 S, F: A cryptographic context modification was attempted."
- href: auditing/event-5065.md
- - name: "Event 5066 S, F: A cryptographic function operation was attempted."
- href: auditing/event-5066.md
- - name: "Event 5067 S, F: A cryptographic function modification was attempted."
- href: auditing/event-5067.md
- - name: "Event 5068 S, F: A cryptographic function provider operation was attempted."
- href: auditing/event-5068.md
- - name: "Event 5069 S, F: A cryptographic function property operation was attempted."
- href: auditing/event-5069.md
- - name: "Event 5070 S, F: A cryptographic function property modification was attempted."
- href: auditing/event-5070.md
- - name: "Event 5447 S: A Windows Filtering Platform filter has been changed."
- href: auditing/event-5447.md
- - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully."
- href: auditing/event-6144.md
- - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects."
- href: auditing/event-6145.md
- - name: Audit Sensitive Privilege Use
- href: auditing/audit-sensitive-privilege-use.md
- items:
- - name: "Event 4673 S, F: A privileged service was called."
- href: auditing/event-4673.md
- - name: "Event 4674 S, F: An operation was attempted on a privileged object."
- href: auditing/event-4674.md
- - name: "Event 4985 S: The state of a transaction has changed."
- href: auditing/event-4985.md
- - name: Audit Non Sensitive Privilege Use
- href: auditing/audit-non-sensitive-privilege-use.md
- items:
- - name: "Event 4673 S, F: A privileged service was called."
- href: auditing/event-4673.md
- - name: "Event 4674 S, F: An operation was attempted on a privileged object."
- href: auditing/event-4674.md
- - name: "Event 4985 S: The state of a transaction has changed."
- href: auditing/event-4985.md
- - name: Audit Other Privilege Use Events
- href: auditing/audit-other-privilege-use-events.md
- items:
- - name: "Event 4985 S: The state of a transaction has changed."
- href: auditing/event-4985.md
- - name: Audit IPsec Driver
- href: auditing/audit-ipsec-driver.md
- - name: Audit Other System Events
- href: auditing/audit-other-system-events.md
- items:
- - name: "Event 5024 S: The Windows Firewall Service has started successfully."
- href: auditing/event-5024.md
- - name: "Event 5025 S: The Windows Firewall Service has been stopped."
- href: auditing/event-5025.md
- - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy."
- href: auditing/event-5027.md
- - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy."
- href: auditing/event-5028.md
- - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy."
- href: auditing/event-5029.md
- - name: "Event 5030 F: The Windows Firewall Service failed to start."
- href: auditing/event-5030.md
- - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network."
- href: auditing/event-5032.md
- - name: "Event 5033 S: The Windows Firewall Driver has started successfully."
- href: auditing/event-5033.md
- - name: "Event 5034 S: The Windows Firewall Driver was stopped."
- href: auditing/event-5034.md
- - name: "Event 5035 F: The Windows Firewall Driver failed to start."
- href: auditing/event-5035.md
- - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating."
- href: auditing/event-5037.md
- - name: "Event 5058 S, F: Key file operation."
- href: auditing/event-5058.md
- - name: "Event 5059 S, F: Key migration operation."
- href: auditing/event-5059.md
- - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content."
- href: auditing/event-6400.md
- - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded."
- href: auditing/event-6401.md
- - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted."
- href: auditing/event-6402.md
- - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client."
- href: auditing/event-6403.md
- - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."
- href: auditing/event-6404.md
- - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred."
- href: auditing/event-6405.md
- - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2."
- href: auditing/event-6406.md
- - name: "Event 6407: 1%."
- href: auditing/event-6407.md
- - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."
- href: auditing/event-6408.md
- - name: "Event 6409: BranchCache: A service connection point object could not be parsed."
- href: auditing/event-6409.md
- - name: Audit Security State Change
- href: auditing/audit-security-state-change.md
- items:
- - name: "Event 4608 S: Windows is starting up."
- href: auditing/event-4608.md
- - name: "Event 4616 S: The system time was changed."
- href: auditing/event-4616.md
- - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail."
- href: auditing/event-4621.md
- - name: Audit Security System Extension
- href: auditing/audit-security-system-extension.md
- items:
- - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority."
- href: auditing/event-4610.md
- - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority."
- href: auditing/event-4611.md
- - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager."
- href: auditing/event-4614.md
- - name: "Event 4622 S: A security package has been loaded by the Local Security Authority."
- href: auditing/event-4622.md
- - name: "Event 4697 S: A service was installed in the system."
- href: auditing/event-4697.md
- - name: Audit System Integrity
- href: auditing/audit-system-integrity.md
- items:
- - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits."
- href: auditing/event-4612.md
- - name: "Event 4615 S: Invalid use of LPC port."
- href: auditing/event-4615.md
- - name: "Event 4618 S: A monitored security event pattern has occurred."
- href: auditing/event-4618.md
- - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message."
- href: auditing/event-4816.md
- - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid."
- href: auditing/event-5038.md
- - name: "Event 5056 S: A cryptographic self-test was performed."
- href: auditing/event-5056.md
- - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed."
- href: auditing/event-5062.md
- - name: "Event 5057 F: A cryptographic primitive operation failed."
- href: auditing/event-5057.md
- - name: "Event 5060 F: Verification operation failed."
- href: auditing/event-5060.md
- - name: "Event 5061 S, F: Cryptographic operation."
- href: auditing/event-5061.md
- - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid."
- href: auditing/event-6281.md
- - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process."
- href: auditing/event-6410.md
- - name: Other Events
- href: auditing/other-events.md
- items:
- - name: "Event 1100 S: The event logging service has shut down."
- href: auditing/event-1100.md
- - name: "Event 1102 S: The audit log was cleared."
- href: auditing/event-1102.md
- - name: "Event 1104 S: The security log is now full."
- href: auditing/event-1104.md
- - name: "Event 1105 S: Event log automatic backup."
- href: auditing/event-1105.md
- - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1."
- href: auditing/event-1108.md
- - name: "Appendix A: Security monitoring recommendations for many audit events"
- href: auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
- - name: Registry (Global Object Access Auditing)
- href: auditing/registry-global-object-access-auditing.md
- - name: File System (Global Object Access Auditing)
- href: auditing/file-system-global-object-access-auditing.md
- - name: Security policy settings
- href: security-policy-settings/security-policy-settings.md
- items:
- - name: Administer security policy settings
- href: security-policy-settings/administer-security-policy-settings.md
- items:
- - name: Network List Manager policies
- href: security-policy-settings/network-list-manager-policies.md
- - name: Configure security policy settings
- href: security-policy-settings/how-to-configure-security-policy-settings.md
- - name: Security policy settings reference
- href: security-policy-settings/security-policy-settings-reference.md
- items:
- - name: Account Policies
- href: security-policy-settings/account-policies.md
- items:
- - name: Password Policy
- href: security-policy-settings/password-policy.md
- items:
- - name: Enforce password history
- href: security-policy-settings/enforce-password-history.md
- - name: Maximum password age
- href: security-policy-settings/maximum-password-age.md
- - name: Minimum password age
- href: security-policy-settings/minimum-password-age.md
- - name: Minimum password length
- href: security-policy-settings/minimum-password-length.md
- - name: Password must meet complexity requirements
- href: security-policy-settings/password-must-meet-complexity-requirements.md
- - name: Store passwords using reversible encryption
- href: security-policy-settings/store-passwords-using-reversible-encryption.md
- - name: Account Lockout Policy
- href: security-policy-settings/account-lockout-policy.md
- items:
- - name: Account lockout duration
- href: security-policy-settings/account-lockout-duration.md
- - name: Account lockout threshold
- href: security-policy-settings/account-lockout-threshold.md
- - name: Reset account lockout counter after
- href: security-policy-settings/reset-account-lockout-counter-after.md
- - name: Kerberos Policy
- href: security-policy-settings/kerberos-policy.md
- items:
- - name: Enforce user logon restrictions
- href: security-policy-settings/enforce-user-logon-restrictions.md
- - name: Maximum lifetime for service ticket
- href: security-policy-settings/maximum-lifetime-for-service-ticket.md
- - name: Maximum lifetime for user ticket
- href: security-policy-settings/maximum-lifetime-for-user-ticket.md
- - name: Maximum lifetime for user ticket renewal
- href: security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
- - name: Maximum tolerance for computer clock synchronization
- href: security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
- - name: Audit Policy
- href: security-policy-settings/audit-policy.md
- - name: Security Options
- href: security-policy-settings/security-options.md
- items:
- - name: "Accounts: Administrator account status"
- href: security-policy-settings/accounts-administrator-account-status.md
- - name: "Accounts: Block Microsoft accounts"
- href: security-policy-settings/accounts-block-microsoft-accounts.md
- - name: "Accounts: Guest account status"
- href: security-policy-settings/accounts-guest-account-status.md
- - name: "Accounts: Limit local account use of blank passwords to console logon only"
- href: security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
- - name: "Accounts: Rename administrator account"
- href: security-policy-settings/accounts-rename-administrator-account.md
- - name: "Accounts: Rename guest account"
- href: security-policy-settings/accounts-rename-guest-account.md
- - name: "Audit: Audit the access of global system objects"
- href: security-policy-settings/audit-audit-the-access-of-global-system-objects.md
- - name: "Audit: Audit the use of Backup and Restore privilege"
- href: security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
- - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"
- href: security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
- - name: "Audit: Shut down system immediately if unable to log security audits"
- href: security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
- - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax"
- href: security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
- - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax"
- href: security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
- - name: "Devices: Allow undock without having to log on"
- href: security-policy-settings/devices-allow-undock-without-having-to-log-on.md
- - name: "Devices: Allowed to format and eject removable media"
- href: security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
- - name: "Devices: Prevent users from installing printer drivers"
- href: security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
- - name: "Devices: Restrict CD-ROM access to locally logged-on user only"
- href: security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
- - name: "Devices: Restrict floppy access to locally logged-on user only"
- href: security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
- - name: "Domain controller: Allow server operators to schedule tasks"
- href: security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
- - name: "Domain controller: LDAP server signing requirements"
- href: security-policy-settings/domain-controller-ldap-server-signing-requirements.md
- - name: "Domain controller: Refuse machine account password changes"
- href: security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
- - name: "Domain member: Digitally encrypt or sign secure channel data (always)"
- href: security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
- - name: "Domain member: Digitally encrypt secure channel data (when possible)"
- href: security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
- - name: "Domain member: Digitally sign secure channel data (when possible)"
- href: security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
- - name: "Domain member: Disable machine account password changes"
- href: security-policy-settings/domain-member-disable-machine-account-password-changes.md
- - name: "Domain member: Maximum machine account password age"
- href: security-policy-settings/domain-member-maximum-machine-account-password-age.md
- - name: "Domain member: Require strong (Windows 2000 or later) session key"
- href: security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
- - name: "Interactive logon: Display user information when the session is locked"
- href: security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
- - name: "Interactive logon: Don't display last signed-in"
- href: security-policy-settings/interactive-logon-do-not-display-last-user-name.md
- - name: "Interactive logon: Don't display username at sign-in"
- href: security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
- - name: "Interactive logon: Do not require CTRL+ALT+DEL"
- href: security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
- - name: "Interactive logon: Machine account lockout threshold"
- href: security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
- - name: "Interactive logon: Machine inactivity limit"
- href: security-policy-settings/interactive-logon-machine-inactivity-limit.md
- - name: "Interactive logon: Message text for users attempting to log on"
- href: security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
- - name: "Interactive logon: Message title for users attempting to log on"
- href: security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
- - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
- href: security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
- - name: "Interactive logon: Prompt user to change password before expiration"
- href: security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
- - name: "Interactive logon: Require Domain Controller authentication to unlock workstation"
- href: security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
- - name: "Interactive logon: Require smart card"
- href: security-policy-settings/interactive-logon-require-smart-card.md
- - name: "Interactive logon: Smart card removal behavior"
- href: security-policy-settings/interactive-logon-smart-card-removal-behavior.md
- - name: "Microsoft network client: Digitally sign communications (always)"
- href: security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
- - name: "SMBv1 Microsoft network client: Digitally sign communications (always)"
- href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
- - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)"
- href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
- - name: "Microsoft network client: Send unencrypted password to third-party SMB servers"
- href: security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
- - name: "Microsoft network server: Amount of idle time required before suspending session"
- href: security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
- - name: "Microsoft network server: Attempt S4U2Self to obtain claim information"
- href: security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
- - name: "Microsoft network server: Digitally sign communications (always)"
- href: security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
- - name: "SMBv1 Microsoft network server: Digitally sign communications (always)"
- href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
- - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)"
- href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
- - name: "Microsoft network server: Disconnect clients when logon hours expire"
- href: security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
- - name: "Microsoft network server: Server SPN target name validation level"
- href: security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
- - name: "Network access: Allow anonymous SID/Name translation"
- href: security-policy-settings/network-access-allow-anonymous-sidname-translation.md
- - name: "Network access: Do not allow anonymous enumeration of SAM accounts"
- href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
- - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares"
- href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
- - name: "Network access: Do not allow storage of passwords and credentials for network authentication"
- href: security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
- - name: "Network access: Let Everyone permissions apply to anonymous users"
- href: security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
- - name: "Network access: Named Pipes that can be accessed anonymously"
- href: security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
- - name: "Network access: Remotely accessible registry paths"
- href: security-policy-settings/network-access-remotely-accessible-registry-paths.md
- - name: "Network access: Remotely accessible registry paths and subpaths"
- href: security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
- - name: "Network access: Restrict anonymous access to Named Pipes and Shares"
- href: security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
- - name: "Network access: Restrict clients allowed to make remote calls to SAM"
- href: security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
- - name: "Network access: Shares that can be accessed anonymously"
- href: security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
- - name: "Network access: Sharing and security model for local accounts"
- href: security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
- - name: "Network security: Allow Local System to use computer identity for NTLM"
- href: security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
- - name: "Network security: Allow LocalSystem NULL session fallback"
- href: security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
- - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities"
- href: security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
- - name: "Network security: Configure encryption types allowed for Kerberos"
- href: security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
- - name: "Network security: Do not store LAN Manager hash value on next password change"
- href: security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
- - name: "Network security: Force logoff when logon hours expire"
- href: security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
- - name: "Network security: LAN Manager authentication level"
- href: security-policy-settings/network-security-lan-manager-authentication-level.md
- - name: "Network security: LDAP client signing requirements"
- href: security-policy-settings/network-security-ldap-client-signing-requirements.md
- - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"
- href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
- - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"
- href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
- - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication"
- href: security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
- - name: "Network security: Restrict NTLM: Add server exceptions in this domain"
- href: security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
- - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic"
- href: security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
- - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain"
- href: security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
- - name: "Network security: Restrict NTLM: Incoming NTLM traffic"
- href: security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
- - name: "Network security: Restrict NTLM: NTLM authentication in this domain"
- href: security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
- - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers"
- href: security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
- - name: "Recovery console: Allow automatic administrative logon"
- href: security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
- - name: "Recovery console: Allow floppy copy and access to all drives and folders"
- href: security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
- - name: "Shutdown: Allow system to be shut down without having to log on"
- href: security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
- - name: "Shutdown: Clear virtual memory pagefile"
- href: security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
- - name: "System cryptography: Force strong key protection for user keys stored on the computer"
- href: security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
- - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
- href: security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
- - name: "System objects: Require case insensitivity for non-Windows subsystems"
- href: security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
- - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)"
- href: security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
- - name: "System settings: Optional subsystems"
- href: security-policy-settings/system-settings-optional-subsystems.md
- - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies"
- href: security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
- - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account"
- href: security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
- - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop"
- href: security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
- - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
- href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
- - name: "User Account Control: Behavior of the elevation prompt for standard users"
- href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
- - name: "User Account Control: Detect application installations and prompt for elevation"
- href: security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
- - name: "User Account Control: Only elevate executables that are signed and validated"
- href: security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
- - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations"
- href: security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
- - name: "User Account Control: Run all administrators in Admin Approval Mode"
- href: security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
- - name: "User Account Control: Switch to the secure desktop when prompting for elevation"
- href: security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
- - name: "User Account Control: Virtualize file and registry write failures to per-user locations"
- href: security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
- - name: Advanced security audit policy settings
- href: security-policy-settings/secpol-advanced-security-audit-policy-settings.md
- - name: User Rights Assignment
- href: security-policy-settings/user-rights-assignment.md
- items:
- - name: Access Credential Manager as a trusted caller
- href: security-policy-settings/access-credential-manager-as-a-trusted-caller.md
- - name: Access this computer from the network
- href: security-policy-settings/access-this-computer-from-the-network.md
- - name: Act as part of the operating system
- href: security-policy-settings/act-as-part-of-the-operating-system.md
- - name: Add workstations to domain
- href: security-policy-settings/add-workstations-to-domain.md
- - name: Adjust memory quotas for a process
- href: security-policy-settings/adjust-memory-quotas-for-a-process.md
- - name: Allow log on locally
- href: security-policy-settings/allow-log-on-locally.md
- - name: Allow log on through Remote Desktop Services
- href: security-policy-settings/allow-log-on-through-remote-desktop-services.md
- - name: Back up files and directories
- href: security-policy-settings/back-up-files-and-directories.md
- - name: Bypass traverse checking
- href: security-policy-settings/bypass-traverse-checking.md
- - name: Change the system time
- href: security-policy-settings/change-the-system-time.md
- - name: Change the time zone
- href: security-policy-settings/change-the-time-zone.md
- - name: Create a pagefile
- href: security-policy-settings/create-a-pagefile.md
- - name: Create a token object
- href: security-policy-settings/create-a-token-object.md
- - name: Create global objects
- href: security-policy-settings/create-global-objects.md
- - name: Create permanent shared objects
- href: security-policy-settings/create-permanent-shared-objects.md
- - name: Create symbolic links
- href: security-policy-settings/create-symbolic-links.md
- - name: Debug programs
- href: security-policy-settings/debug-programs.md
- - name: Deny access to this computer from the network
- href: security-policy-settings/deny-access-to-this-computer-from-the-network.md
- - name: Deny log on as a batch job
- href: security-policy-settings/deny-log-on-as-a-batch-job.md
- - name: Deny log on as a service
- href: security-policy-settings/deny-log-on-as-a-service.md
- - name: Deny log on locally
- href: security-policy-settings/deny-log-on-locally.md
- - name: Deny log on through Remote Desktop Services
- href: security-policy-settings/deny-log-on-through-remote-desktop-services.md
- - name: Enable computer and user accounts to be trusted for delegation
- href: security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
- - name: Force shutdown from a remote system
- href: security-policy-settings/force-shutdown-from-a-remote-system.md
- - name: Generate security audits
- href: security-policy-settings/generate-security-audits.md
- - name: Impersonate a client after authentication
- href: security-policy-settings/impersonate-a-client-after-authentication.md
- - name: Increase a process working set
- href: security-policy-settings/increase-a-process-working-set.md
- - name: Increase scheduling priority
- href: security-policy-settings/increase-scheduling-priority.md
- - name: Load and unload device drivers
- href: security-policy-settings/load-and-unload-device-drivers.md
- - name: Lock pages in memory
- href: security-policy-settings/lock-pages-in-memory.md
- - name: Log on as a batch job
- href: security-policy-settings/log-on-as-a-batch-job.md
- - name: Log on as a service
- href: security-policy-settings/log-on-as-a-service.md
- - name: Manage auditing and security log
- href: security-policy-settings/manage-auditing-and-security-log.md
- - name: Modify an object label
- href: security-policy-settings/modify-an-object-label.md
- - name: Modify firmware environment values
- href: security-policy-settings/modify-firmware-environment-values.md
- - name: Perform volume maintenance tasks
- href: security-policy-settings/perform-volume-maintenance-tasks.md
- - name: Profile single process
- href: security-policy-settings/profile-single-process.md
- - name: Profile system performance
- href: security-policy-settings/profile-system-performance.md
- - name: Remove computer from docking station
- href: security-policy-settings/remove-computer-from-docking-station.md
- - name: Replace a process level token
- href: security-policy-settings/replace-a-process-level-token.md
- - name: Restore files and directories
- href: security-policy-settings/restore-files-and-directories.md
- - name: Shut down the system
- href: security-policy-settings/shut-down-the-system.md
- - name: Synchronize directory service data
- href: security-policy-settings/synchronize-directory-service-data.md
- - name: Take ownership of files or other objects
- href: security-policy-settings/take-ownership-of-files-or-other-objects.md
- - name: Windows security guidance for enterprises
- items:
- - name: Windows security baselines
- href: windows-security-configuration-framework/windows-security-baselines.md
- items:
- - name: Security Compliance Toolkit
- href: windows-security-configuration-framework/security-compliance-toolkit-10.md
- - name: Get support
- href: windows-security-configuration-framework/get-support-for-security-baselines.md
diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml
new file mode 100644
index 0000000000..4f122c5d8e
--- /dev/null
+++ b/windows/security/threat-protection/auditing/TOC.yml
@@ -0,0 +1,767 @@
+ - name: Security auditing
+ href: security-auditing-overview.md
+ items:
+ - name: Basic security audit policies
+ href: basic-security-audit-policies.md
+ items:
+ - name: Create a basic audit policy for an event category
+ href: create-a-basic-audit-policy-settings-for-an-event-category.md
+ - name: Apply a basic audit policy on a file or folder
+ href: apply-a-basic-audit-policy-on-a-file-or-folder.md
+ - name: View the security event log
+ href: view-the-security-event-log.md
+ - name: Basic security audit policy settings
+ href: basic-security-audit-policy-settings.md
+ items:
+ - name: Audit account logon events
+ href: basic-audit-account-logon-events.md
+ - name: Audit account management
+ href: basic-audit-account-management.md
+ - name: Audit directory service access
+ href: basic-audit-directory-service-access.md
+ - name: Audit logon events
+ href: basic-audit-logon-events.md
+ - name: Audit object access
+ href: basic-audit-object-access.md
+ - name: Audit policy change
+ href: basic-audit-policy-change.md
+ - name: Audit privilege use
+ href: basic-audit-privilege-use.md
+ - name: Audit process tracking
+ href: basic-audit-process-tracking.md
+ - name: Audit system events
+ href: basic-audit-system-events.md
+ - name: Advanced security audit policies
+ href: advanced-security-auditing.md
+ items:
+ - name: Planning and deploying advanced security audit policies
+ href: planning-and-deploying-advanced-security-audit-policies.md
+ - name: Advanced security auditing FAQ
+ href: advanced-security-auditing-faq.yml
+ items:
+ - name: Which editions of Windows support advanced audit policy configuration
+ href: which-editions-of-windows-support-advanced-audit-policy-configuration.md
+ - name: How to list XML elements in \
+ href: how-to-list-xml-elements-in-eventdata.md
+ - name: Using advanced security auditing options to monitor dynamic access control objects
+ href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+ items:
+ - name: Monitor the central access policies that apply on a file server
+ href: monitor-the-central-access-policies-that-apply-on-a-file-server.md
+ - name: Monitor the use of removable storage devices
+ href: monitor-the-use-of-removable-storage-devices.md
+ - name: Monitor resource attribute definitions
+ href: monitor-resource-attribute-definitions.md
+ - name: Monitor central access policy and rule definitions
+ href: monitor-central-access-policy-and-rule-definitions.md
+ - name: Monitor user and device claims during sign-in
+ href: monitor-user-and-device-claims-during-sign-in.md
+ - name: Monitor the resource attributes on files and folders
+ href: monitor-the-resource-attributes-on-files-and-folders.md
+ - name: Monitor the central access policies associated with files and folders
+ href: monitor-the-central-access-policies-associated-with-files-and-folders.md
+ - name: Monitor claim types
+ href: monitor-claim-types.md
+ - name: Advanced security audit policy settings
+ href: advanced-security-audit-policy-settings.md
+ items:
+ - name: Audit Credential Validation
+ href: audit-credential-validation.md
+ - name: "Event 4774 S, F: An account was mapped for logon."
+ href: event-4774.md
+ - name: "Event 4775 F: An account could not be mapped for logon."
+ href: event-4775.md
+ - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account."
+ href: event-4776.md
+ - name: "Event 4777 F: The domain controller failed to validate the credentials for an account."
+ href: event-4777.md
+ - name: Audit Kerberos Authentication Service
+ href: audit-kerberos-authentication-service.md
+ items:
+ - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested."
+ href: event-4768.md
+ - name: "Event 4771 F: Kerberos pre-authentication failed."
+ href: event-4771.md
+ - name: "Event 4772 F: A Kerberos authentication ticket request failed."
+ href: event-4772.md
+ - name: Audit Kerberos Service Ticket Operations
+ href: audit-kerberos-service-ticket-operations.md
+ items:
+ - name: "Event 4769 S, F: A Kerberos service ticket was requested."
+ href: event-4769.md
+ - name: "Event 4770 S: A Kerberos service ticket was renewed."
+ href: event-4770.md
+ - name: "Event 4773 F: A Kerberos service ticket request failed."
+ href: event-4773.md
+ - name: Audit Other Account Logon Events
+ href: audit-other-account-logon-events.md
+ - name: Audit Application Group Management
+ href: audit-application-group-management.md
+ - name: Audit Computer Account Management
+ href: audit-computer-account-management.md
+ items:
+ - name: "Event 4741 S: A computer account was created."
+ href: event-4741.md
+ - name: "Event 4742 S: A computer account was changed."
+ href: event-4742.md
+ - name: "Event 4743 S: A computer account was deleted."
+ href: event-4743.md
+ - name: Audit Distribution Group Management
+ href: audit-distribution-group-management.md
+ items:
+ - name: "Event 4749 S: A security-disabled global group was created."
+ href: event-4749.md
+ - name: "Event 4750 S: A security-disabled global group was changed."
+ href: event-4750.md
+ - name: "Event 4751 S: A member was added to a security-disabled global group."
+ href: event-4751.md
+ - name: "Event 4752 S: A member was removed from a security-disabled global group."
+ href: event-4752.md
+ - name: "Event 4753 S: A security-disabled global group was deleted."
+ href: event-4753.md
+ - name: Audit Other Account Management Events
+ href: audit-other-account-management-events.md
+ items:
+ - name: "Event 4782 S: The password hash of an account was accessed."
+ href: event-4782.md
+ - name: "Event 4793 S: The Password Policy Checking API was called."
+ href: event-4793.md
+ - name: Audit Security Group Management
+ href: audit-security-group-management.md
+ items:
+ - name: "Event 4731 S: A security-enabled local group was created."
+ href: event-4731.md
+ - name: "Event 4732 S: A member was added to a security-enabled local group."
+ href: event-4732.md
+ - name: "Event 4733 S: A member was removed from a security-enabled local group."
+ href: event-4733.md
+ - name: "Event 4734 S: A security-enabled local group was deleted."
+ href: event-4734.md
+ - name: "Event 4735 S: A security-enabled local group was changed."
+ href: event-4735.md
+ - name: "Event 4764 S: A group�s type was changed."
+ href: event-4764.md
+ - name: "Event 4799 S: A security-enabled local group membership was enumerated."
+ href: event-4799.md
+ - name: Audit User Account Management
+ href: audit-user-account-management.md
+ items:
+ - name: "Event 4720 S: A user account was created."
+ href: event-4720.md
+ - name: "Event 4722 S: A user account was enabled."
+ href: event-4722.md
+ - name: "Event 4723 S, F: An attempt was made to change an account's password."
+ href: event-4723.md
+ - name: "Event 4724 S, F: An attempt was made to reset an account's password."
+ href: event-4724.md
+ - name: "Event 4725 S: A user account was disabled."
+ href: event-4725.md
+ - name: "Event 4726 S: A user account was deleted."
+ href: event-4726.md
+ - name: "Event 4738 S: A user account was changed."
+ href: event-4738.md
+ - name: "Event 4740 S: A user account was locked out."
+ href: event-4740.md
+ - name: "Event 4765 S: SID History was added to an account."
+ href: event-4765.md
+ - name: "Event 4766 F: An attempt to add SID History to an account failed."
+ href: event-4766.md
+ - name: "Event 4767 S: A user account was unlocked."
+ href: event-4767.md
+ - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups."
+ href: event-4780.md
+ - name: "Event 4781 S: The name of an account was changed."
+ href: event-4781.md
+ - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password."
+ href: event-4794.md
+ - name: "Event 4798 S: A user's local group membership was enumerated."
+ href: event-4798.md
+ - name: "Event 5376 S: Credential Manager credentials were backed up."
+ href: event-5376.md
+ - name: "Event 5377 S: Credential Manager credentials were restored from a backup."
+ href: event-5377.md
+ - name: Audit DPAPI Activity
+ href: audit-dpapi-activity.md
+ items:
+ - name: "Event 4692 S, F: Backup of data protection master key was attempted."
+ href: event-4692.md
+ - name: "Event 4693 S, F: Recovery of data protection master key was attempted."
+ href: event-4693.md
+ - name: "Event 4694 S, F: Protection of auditable protected data was attempted."
+ href: event-4694.md
+ - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted."
+ href: event-4695.md
+ - name: Audit PNP Activity
+ href: audit-pnp-activity.md
+ items:
+ - name: "Event 6416 S: A new external device was recognized by the System."
+ href: event-6416.md
+ - name: "Event 6419 S: A request was made to disable a device."
+ href: event-6419.md
+ - name: "Event 6420 S: A device was disabled."
+ href: event-6420.md
+ - name: "Event 6421 S: A request was made to enable a device."
+ href: event-6421.md
+ - name: "Event 6422 S: A device was enabled."
+ href: event-6422.md
+ - name: "Event 6423 S: The installation of this device is forbidden by system policy."
+ href: event-6423.md
+ - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy."
+ href: event-6424.md
+ - name: Audit Process Creation
+ href: audit-process-creation.md
+ items:
+ - name: "Event 4688 S: A new process has been created."
+ href: event-4688.md
+ - name: "Event 4696 S: A primary token was assigned to process."
+ href: event-4696.md
+ - name: Audit Process Termination
+ href: audit-process-termination.md
+ items:
+ - name: "Event 4689 S: A process has exited."
+ href: event-4689.md
+ - name: Audit RPC Events
+ href: audit-rpc-events.md
+ items:
+ - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted."
+ href: event-5712.md
+ - name: Audit Token Right Adjusted
+ href: audit-token-right-adjusted.md
+ items:
+ - name: "Event 4703 S: A user right was adjusted."
+ href: event-4703.md
+ - name: Audit Detailed Directory Service Replication
+ href: audit-detailed-directory-service-replication.md
+ items:
+ - name: "Event 4928 S, F: An Active Directory replica source naming context was established."
+ href: event-4928.md
+ - name: "Event 4929 S, F: An Active Directory replica source naming context was removed."
+ href: event-4929.md
+ - name: "Event 4930 S, F: An Active Directory replica source naming context was modified."
+ href: event-4930.md
+ - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified."
+ href: event-4931.md
+ - name: "Event 4934 S: Attributes of an Active Directory object were replicated."
+ href: event-4934.md
+ - name: "Event 4935 F: Replication failure begins."
+ href: event-4935.md
+ - name: "Event 4936 S: Replication failure ends."
+ href: event-4936.md
+ - name: "Event 4937 S: A lingering object was removed from a replica."
+ href: event-4937.md
+ - name: Audit Directory Service Access
+ href: audit-directory-service-access.md
+ items:
+ - name: "Event 4662 S, F: An operation was performed on an object."
+ href: event-4662.md
+ - name: "Event 4661 S, F: A handle to an object was requested."
+ href: event-4661.md
+ - name: Audit Directory Service Changes
+ href: audit-directory-service-changes.md
+ items:
+ - name: "Event 5136 S: A directory service object was modified."
+ href: event-5136.md
+ - name: "Event 5137 S: A directory service object was created."
+ href: event-5137.md
+ - name: "Event 5138 S: A directory service object was undeleted."
+ href: event-5138.md
+ - name: "Event 5139 S: A directory service object was moved."
+ href: event-5139.md
+ - name: "Event 5141 S: A directory service object was deleted."
+ href: event-5141.md
+ - name: Audit Directory Service Replication
+ href: audit-directory-service-replication.md
+ items:
+ - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun."
+ href: event-4932.md
+ - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended."
+ href: event-4933.md
+ - name: Audit Account Lockout
+ href: audit-account-lockout.md
+ items:
+ - name: "Event 4625 F: An account failed to log on."
+ href: event-4625.md
+ - name: Audit User/Device Claims
+ href: audit-user-device-claims.md
+ items:
+ - name: "Event 4626 S: User/Device claims information."
+ href: event-4626.md
+ - name: Audit Group Membership
+ href: audit-group-membership.md
+ items:
+ - name: "Event 4627 S: Group membership information."
+ href: event-4627.md
+ - name: Audit IPsec Extended Mode
+ href: audit-ipsec-extended-mode.md
+ - name: Audit IPsec Main Mode
+ href: audit-ipsec-main-mode.md
+ - name: Audit IPsec Quick Mode
+ href: audit-ipsec-quick-mode.md
+ - name: Audit Logoff
+ href: audit-logoff.md
+ items:
+ - name: "Event 4634 S: An account was logged off."
+ href: event-4634.md
+ - name: "Event 4647 S: User initiated logoff."
+ href: event-4647.md
+ - name: Audit Logon
+ href: audit-logon.md
+ items:
+ - name: "Event 4624 S: An account was successfully logged on."
+ href: event-4624.md
+ - name: "Event 4625 F: An account failed to log on."
+ href: event-4625.md
+ - name: "Event 4648 S: A logon was attempted using explicit credentials."
+ href: event-4648.md
+ - name: "Event 4675 S: SIDs were filtered."
+ href: event-4675.md
+ - name: Audit Network Policy Server
+ href: audit-network-policy-server.md
+ - name: Audit Other Logon/Logoff Events
+ href: audit-other-logonlogoff-events.md
+ items:
+ - name: "Event 4649 S: A replay attack was detected."
+ href: event-4649.md
+ - name: "Event 4778 S: A session was reconnected to a Window Station."
+ href: event-4778.md
+ - name: "Event 4779 S: A session was disconnected from a Window Station."
+ href: event-4779.md
+ - name: "Event 4800 S: The workstation was locked."
+ href: event-4800.md
+ - name: "Event 4801 S: The workstation was unlocked."
+ href: event-4801.md
+ - name: "Event 4802 S: The screen saver was invoked."
+ href: event-4802.md
+ - name: "Event 4803 S: The screen saver was dismissed."
+ href: event-4803.md
+ - name: "Event 5378 F: The requested credentials delegation was disallowed by policy."
+ href: event-5378.md
+ - name: "Event 5632 S, F: A request was made to authenticate to a wireless network."
+ href: event-5632.md
+ - name: "Event 5633 S, F: A request was made to authenticate to a wired network."
+ href: event-5633.md
+ - name: Audit Special Logon
+ href: audit-special-logon.md
+ items:
+ - name: "Event 4964 S: Special groups have been assigned to a new logon."
+ href: event-4964.md
+ - name: "Event 4672 S: Special privileges assigned to new logon."
+ href: event-4672.md
+ - name: Audit Application Generated
+ href: audit-application-generated.md
+ - name: Audit Certification Services
+ href: audit-certification-services.md
+ - name: Audit Detailed File Share
+ href: audit-detailed-file-share.md
+ items:
+ - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access."
+ href: event-5145.md
+ - name: Audit File Share
+ href: audit-file-share.md
+ items:
+ - name: "Event 5140 S, F: A network share object was accessed."
+ href: event-5140.md
+ - name: "Event 5142 S: A network share object was added."
+ href: event-5142.md
+ - name: "Event 5143 S: A network share object was modified."
+ href: event-5143.md
+ - name: "Event 5144 S: A network share object was deleted."
+ href: event-5144.md
+ - name: "Event 5168 F: SPN check for SMB/SMB2 failed."
+ href: event-5168.md
+ - name: Audit File System
+ href: audit-file-system.md
+ items:
+ - name: "Event 4656 S, F: A handle to an object was requested."
+ href: event-4656.md
+ - name: "Event 4658 S: The handle to an object was closed."
+ href: event-4658.md
+ - name: "Event 4660 S: An object was deleted."
+ href: event-4660.md
+ - name: "Event 4663 S: An attempt was made to access an object."
+ href: event-4663.md
+ - name: "Event 4664 S: An attempt was made to create a hard link."
+ href: event-4664.md
+ - name: "Event 4985 S: The state of a transaction has changed."
+ href: event-4985.md
+ - name: "Event 5051: A file was virtualized."
+ href: event-5051.md
+ - name: "Event 4670 S: Permissions on an object were changed."
+ href: event-4670.md
+ - name: Audit Filtering Platform Connection
+ href: audit-filtering-platform-connection.md
+ items:
+ - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network."
+ href: event-5031.md
+ - name: "Event 5150: The Windows Filtering Platform blocked a packet."
+ href: event-5150.md
+ - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet."
+ href: event-5151.md
+ - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections."
+ href: event-5154.md
+ - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections."
+ href: event-5155.md
+ - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection."
+ href: event-5156.md
+ - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection."
+ href: event-5157.md
+ - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port."
+ href: event-5158.md
+ - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port."
+ href: event-5159.md
+ - name: Audit Filtering Platform Packet Drop
+ href: audit-filtering-platform-packet-drop.md
+ items:
+ - name: "Event 5152 F: The Windows Filtering Platform blocked a packet."
+ href: event-5152.md
+ - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet."
+ href: event-5153.md
+ - name: Audit Handle Manipulation
+ href: audit-handle-manipulation.md
+ items:
+ - name: "Event 4690 S: An attempt was made to duplicate a handle to an object."
+ href: event-4690.md
+ - name: Audit Kernel Object
+ href: audit-kernel-object.md
+ items:
+ - name: "Event 4656 S, F: A handle to an object was requested."
+ href: event-4656.md
+ - name: "Event 4658 S: The handle to an object was closed."
+ href: event-4658.md
+ - name: "Event 4660 S: An object was deleted."
+ href: event-4660.md
+ - name: "Event 4663 S: An attempt was made to access an object."
+ href: event-4663.md
+ - name: Audit Other Object Access Events
+ href: audit-other-object-access-events.md
+ items:
+ - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS."
+ href: event-4671.md
+ - name: "Event 4691 S: Indirect access to an object was requested."
+ href: event-4691.md
+ - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."
+ href: event-5148.md
+ - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed."
+ href: event-5149.md
+ - name: "Event 4698 S: A scheduled task was created."
+ href: event-4698.md
+ - name: "Event 4699 S: A scheduled task was deleted."
+ href: event-4699.md
+ - name: "Event 4700 S: A scheduled task was enabled."
+ href: event-4700.md
+ - name: "Event 4701 S: A scheduled task was disabled."
+ href: event-4701.md
+ - name: "Event 4702 S: A scheduled task was updated."
+ href: event-4702.md
+ - name: "Event 5888 S: An object in the COM+ Catalog was modified."
+ href: event-5888.md
+ - name: "Event 5889 S: An object was deleted from the COM+ Catalog."
+ href: event-5889.md
+ - name: "Event 5890 S: An object was added to the COM+ Catalog."
+ href: event-5890.md
+ - name: Audit Registry
+ href: audit-registry.md
+ items:
+ - name: "Event 4663 S: An attempt was made to access an object."
+ href: event-4663.md
+ - name: "Event 4656 S, F: A handle to an object was requested."
+ href: event-4656.md
+ - name: "Event 4658 S: The handle to an object was closed."
+ href: event-4658.md
+ - name: "Event 4660 S: An object was deleted."
+ href: event-4660.md
+ - name: "Event 4657 S: A registry value was modified."
+ href: event-4657.md
+ - name: "Event 5039: A registry key was virtualized."
+ href: event-5039.md
+ - name: "Event 4670 S: Permissions on an object were changed."
+ href: event-4670.md
+ - name: Audit Removable Storage
+ href: audit-removable-storage.md
+ - name: Audit SAM
+ href: audit-sam.md
+ items:
+ - name: "Event 4661 S, F: A handle to an object was requested."
+ href: event-4661.md
+ - name: Audit Central Access Policy Staging
+ href: audit-central-access-policy-staging.md
+ items:
+ - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy."
+ href: event-4818.md
+ - name: Audit Audit Policy Change
+ href: audit-audit-policy-change.md
+ items:
+ - name: "Event 4670 S: Permissions on an object were changed."
+ href: event-4670.md
+ - name: "Event 4715 S: The audit policy, SACL, on an object was changed."
+ href: event-4715.md
+ - name: "Event 4719 S: System audit policy was changed."
+ href: event-4719.md
+ - name: "Event 4817 S: Auditing settings on object were changed."
+ href: event-4817.md
+ - name: "Event 4902 S: The Per-user audit policy table was created."
+ href: event-4902.md
+ - name: "Event 4906 S: The CrashOnAuditFail value has changed."
+ href: event-4906.md
+ - name: "Event 4907 S: Auditing settings on object were changed."
+ href: event-4907.md
+ - name: "Event 4908 S: Special Groups Logon table modified."
+ href: event-4908.md
+ - name: "Event 4912 S: Per User Audit Policy was changed."
+ href: event-4912.md
+ - name: "Event 4904 S: An attempt was made to register a security event source."
+ href: event-4904.md
+ - name: "Event 4905 S: An attempt was made to unregister a security event source."
+ href: event-4905.md
+ - name: Audit Authentication Policy Change
+ href: audit-authentication-policy-change.md
+ items:
+ - name: "Event 4706 S: A new trust was created to a domain."
+ href: event-4706.md
+ - name: "Event 4707 S: A trust to a domain was removed."
+ href: event-4707.md
+ - name: "Event 4716 S: Trusted domain information was modified."
+ href: event-4716.md
+ - name: "Event 4713 S: Kerberos policy was changed."
+ href: event-4713.md
+ - name: "Event 4717 S: System security access was granted to an account."
+ href: event-4717.md
+ - name: "Event 4718 S: System security access was removed from an account."
+ href: event-4718.md
+ - name: "Event 4739 S: Domain Policy was changed."
+ href: event-4739.md
+ - name: "Event 4864 S: A namespace collision was detected."
+ href: event-4864.md
+ - name: "Event 4865 S: A trusted forest information entry was added."
+ href: event-4865.md
+ - name: "Event 4866 S: A trusted forest information entry was removed."
+ href: event-4866.md
+ - name: "Event 4867 S: A trusted forest information entry was modified."
+ href: event-4867.md
+ - name: Audit Authorization Policy Change
+ href: audit-authorization-policy-change.md
+ items:
+ - name: "Event 4703 S: A user right was adjusted."
+ href: event-4703.md
+ - name: "Event 4704 S: A user right was assigned."
+ href: event-4704.md
+ - name: "Event 4705 S: A user right was removed."
+ href: event-4705.md
+ - name: "Event 4670 S: Permissions on an object were changed."
+ href: event-4670.md
+ - name: "Event 4911 S: Resource attributes of the object were changed."
+ href: event-4911.md
+ - name: "Event 4913 S: Central Access Policy on the object was changed."
+ href: event-4913.md
+ - name: Audit Filtering Platform Policy Change
+ href: audit-filtering-platform-policy-change.md
+ - name: Audit MPSSVC Rule-Level Policy Change
+ href: audit-mpssvc-rule-level-policy-change.md
+ items:
+ - name: "Event 4944 S: The following policy was active when the Windows Firewall started."
+ href: event-4944.md
+ - name: "Event 4945 S: A rule was listed when the Windows Firewall started."
+ href: event-4945.md
+ - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added."
+ href: event-4946.md
+ - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified."
+ href: event-4947.md
+ - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted."
+ href: event-4948.md
+ - name: "Event 4949 S: Windows Firewall settings were restored to the default values."
+ href: event-4949.md
+ - name: "Event 4950 S: A Windows Firewall setting has changed."
+ href: event-4950.md
+ - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall."
+ href: event-4951.md
+ - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced."
+ href: event-4952.md
+ - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed."
+ href: event-4953.md
+ - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied."
+ href: event-4954.md
+ - name: "Event 4956 S: Windows Firewall has changed the active profile."
+ href: event-4956.md
+ - name: "Event 4957 F: Windows Firewall did not apply the following rule."
+ href: event-4957.md
+ - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer."
+ href: event-4958.md
+ - name: Audit Other Policy Change Events
+ href: audit-other-policy-change-events.md
+ items:
+ - name: "Event 4714 S: Encrypted data recovery policy was changed."
+ href: event-4714.md
+ - name: "Event 4819 S: Central Access Policies on the machine have been changed."
+ href: event-4819.md
+ - name: "Event 4826 S: Boot Configuration Data loaded."
+ href: event-4826.md
+ - name: "Event 4909: The local policy settings for the TBS were changed."
+ href: event-4909.md
+ - name: "Event 4910: The group policy settings for the TBS were changed."
+ href: event-4910.md
+ - name: "Event 5063 S, F: A cryptographic provider operation was attempted."
+ href: event-5063.md
+ - name: "Event 5064 S, F: A cryptographic context operation was attempted."
+ href: event-5064.md
+ - name: "Event 5065 S, F: A cryptographic context modification was attempted."
+ href: event-5065.md
+ - name: "Event 5066 S, F: A cryptographic function operation was attempted."
+ href: event-5066.md
+ - name: "Event 5067 S, F: A cryptographic function modification was attempted."
+ href: event-5067.md
+ - name: "Event 5068 S, F: A cryptographic function provider operation was attempted."
+ href: event-5068.md
+ - name: "Event 5069 S, F: A cryptographic function property operation was attempted."
+ href: event-5069.md
+ - name: "Event 5070 S, F: A cryptographic function property modification was attempted."
+ href: event-5070.md
+ - name: "Event 5447 S: A Windows Filtering Platform filter has been changed."
+ href: event-5447.md
+ - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully."
+ href: event-6144.md
+ - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects."
+ href: event-6145.md
+ - name: Audit Sensitive Privilege Use
+ href: audit-sensitive-privilege-use.md
+ items:
+ - name: "Event 4673 S, F: A privileged service was called."
+ href: event-4673.md
+ - name: "Event 4674 S, F: An operation was attempted on a privileged object."
+ href: event-4674.md
+ - name: "Event 4985 S: The state of a transaction has changed."
+ href: event-4985.md
+ - name: Audit Non Sensitive Privilege Use
+ href: audit-non-sensitive-privilege-use.md
+ items:
+ - name: "Event 4673 S, F: A privileged service was called."
+ href: event-4673.md
+ - name: "Event 4674 S, F: An operation was attempted on a privileged object."
+ href: event-4674.md
+ - name: "Event 4985 S: The state of a transaction has changed."
+ href: event-4985.md
+ - name: Audit Other Privilege Use Events
+ href: audit-other-privilege-use-events.md
+ items:
+ - name: "Event 4985 S: The state of a transaction has changed."
+ href: event-4985.md
+ - name: Audit IPsec Driver
+ href: audit-ipsec-driver.md
+ - name: Audit Other System Events
+ href: audit-other-system-events.md
+ items:
+ - name: "Event 5024 S: The Windows Firewall Service has started successfully."
+ href: event-5024.md
+ - name: "Event 5025 S: The Windows Firewall Service has been stopped."
+ href: event-5025.md
+ - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy."
+ href: event-5027.md
+ - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy."
+ href: event-5028.md
+ - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy."
+ href: event-5029.md
+ - name: "Event 5030 F: The Windows Firewall Service failed to start."
+ href: event-5030.md
+ - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network."
+ href: event-5032.md
+ - name: "Event 5033 S: The Windows Firewall Driver has started successfully."
+ href: event-5033.md
+ - name: "Event 5034 S: The Windows Firewall Driver was stopped."
+ href: event-5034.md
+ - name: "Event 5035 F: The Windows Firewall Driver failed to start."
+ href: event-5035.md
+ - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating."
+ href: event-5037.md
+ - name: "Event 5058 S, F: Key file operation."
+ href: event-5058.md
+ - name: "Event 5059 S, F: Key migration operation."
+ href: event-5059.md
+ - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content."
+ href: event-6400.md
+ - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded."
+ href: event-6401.md
+ - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted."
+ href: event-6402.md
+ - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client."
+ href: event-6403.md
+ - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."
+ href: event-6404.md
+ - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred."
+ href: event-6405.md
+ - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2."
+ href: event-6406.md
+ - name: "Event 6407: 1%."
+ href: event-6407.md
+ - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."
+ href: event-6408.md
+ - name: "Event 6409: BranchCache: A service connection point object could not be parsed."
+ href: event-6409.md
+ - name: Audit Security State Change
+ href: audit-security-state-change.md
+ items:
+ - name: "Event 4608 S: Windows is starting up."
+ href: event-4608.md
+ - name: "Event 4616 S: The system time was changed."
+ href: event-4616.md
+ - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail."
+ href: event-4621.md
+ - name: Audit Security System Extension
+ href: audit-security-system-extension.md
+ items:
+ - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority."
+ href: event-4610.md
+ - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority."
+ href: event-4611.md
+ - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager."
+ href: event-4614.md
+ - name: "Event 4622 S: A security package has been loaded by the Local Security Authority."
+ href: event-4622.md
+ - name: "Event 4697 S: A service was installed in the system."
+ href: event-4697.md
+ - name: Audit System Integrity
+ href: audit-system-integrity.md
+ items:
+ - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits."
+ href: event-4612.md
+ - name: "Event 4615 S: Invalid use of LPC port."
+ href: event-4615.md
+ - name: "Event 4618 S: A monitored security event pattern has occurred."
+ href: event-4618.md
+ - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message."
+ href: event-4816.md
+ - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid."
+ href: event-5038.md
+ - name: "Event 5056 S: A cryptographic self-test was performed."
+ href: event-5056.md
+ - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed."
+ href: event-5062.md
+ - name: "Event 5057 F: A cryptographic primitive operation failed."
+ href: event-5057.md
+ - name: "Event 5060 F: Verification operation failed."
+ href: event-5060.md
+ - name: "Event 5061 S, F: Cryptographic operation."
+ href: event-5061.md
+ - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid."
+ href: event-6281.md
+ - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process."
+ href: event-6410.md
+ - name: Other Events
+ href: other-events.md
+ items:
+ - name: "Event 1100 S: The event logging service has shut down."
+ href: event-1100.md
+ - name: "Event 1102 S: The audit log was cleared."
+ href: event-1102.md
+ - name: "Event 1104 S: The security log is now full."
+ href: event-1104.md
+ - name: "Event 1105 S: Event log automatic backup."
+ href: event-1105.md
+ - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1."
+ href: event-1108.md
+ - name: "Appendix A: Security monitoring recommendations for many audit events"
+ href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+ - name: Registry (Global Object Access Auditing)
+ href: registry-global-object-access-auditing.md
+ - name: File System (Global Object Access Auditing)
+ href: file-system-global-object-access-auditing.md
+ - name: Windows security
+ href: /windows/security/
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index b1b0dbf35b..1cb4f72589 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -14,15 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Advanced security audit policy settings
-**Applies to**
-- Windows 10
-
This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
index 61dfe3d07c..8cce54444d 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@@ -15,33 +15,46 @@ metadata:
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
- ms.date: 04/19/2017
+ ms.date: 11/10/2021
ms.technology: mde
title: Advanced security auditing FAQ
-summary: |
- **Applies to**
- - Windows 10
-
- This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
- [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-)
+
- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-)
+
- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-)
+
- [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-)
+
- [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-)
+
- [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-)
+
- [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-)
+
- [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-)
+
- [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-)
+
- [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-)
+
- [How do I figure out why someone was able to access a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-)
+
- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-)
+
- [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-)
+
- [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-)
+
- [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-)
+
- [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-)
+
- [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-)
+
- [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index 691956d81c..0b3fae0f35 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -14,15 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/6/2021
+ms.technology: windows-sec
---
# Advanced security audit policies
-**Applies to**
-- Windows 10
-
Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index c892db7b11..fe2879fa16 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Appendix A: Security monitoring recommendations for many audit events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index 2d63b25eb8..4deca9cd3b 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -14,15 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 07/25/2018
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Apply a basic audit policy on a file or folder
-**Applies to**
-- Windows 10
-
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 77f8126a98..2f8d75b174 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -11,17 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 07/16/2018
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Account Lockout
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out.
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index 7e8adee87d..f778de2af2 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Application Generated
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Application Generated generates events for actions related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)).
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012.
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 647f8e28b6..3cb78ff1b1 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Application Group Management
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Application Group Management generates events for actions related to [application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)), such as group creation, modification, addition or removal of group member and some other actions.
[Application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)) are used by [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)).
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index 1ac2a40f94..ae75fb4fef 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Audit Policy Change
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 8bf74ed78f..68c6747f77 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -11,17 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Authentication Policy Change
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
Changes made to authentication policy include:
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index c00445582a..03111b60f9 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -11,17 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Authorization Policy Change
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index d63d07634a..a877583e94 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -11,17 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Central Access Policy Staging
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object.
If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows:
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index 82fe1eac16..5c5e3cfccd 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Certification Services
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index 677244f857..c544d87734 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Computer Account Management
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index 4fdf9060db..ad726d2c61 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Credential Validation
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index a6f472d018..9af371fb40 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Detailed Directory Service Replication
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 4428aad464..15e15c2540 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Detailed File Share
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index 608ddbfc4f..927eb3b00a 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Directory Service Access
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index 2141bbae5e..c012915713 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Directory Service Changes
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index df8ddc7f12..f745f49759 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Directory Service Replication
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 352eea4cfe..8317bd58a5 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Distribution Group Management
-**Applies to**
-- Windows 10
-- Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 9661ffe602..ec0e0c8843 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit DPAPI Activity
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit [DPAPI](/previous-versions/ms995355(v=msdn.10)) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](/previous-versions/ms995355(v=msdn.10))).
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index 88b51b6a3f..7d9f3c613e 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit File Share
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks.
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 98f61fc786..1d2aa49bd8 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit File System
-**Applies to**
-- Windows 10
-- Windows Server 2016
> [!NOTE]
> For more details about applicability on older operating system versions, read the article [Audit File System](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index e4829f1e56..16b00b3889 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Filtering Platform Connection
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index d6131681ec..40a667e051 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Filtering Platform Packet Drop
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index b3a9837cd5..ffefdd58cb 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Filtering Platform Policy Change
-**Applies to**
-- Windows 10
-- Windows Server 2016
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following:
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index 37a86a6424..97bb5b57e1 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Group Membership
-**Applies to**
-- Windows 10
-- Windows Server 2016
By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer.
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index e82188ac78..b64ddae053 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Handle Manipulation
-**Applies to**
-- Windows 10
-- Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions.
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index 606acf77a3..1cdb6f9140 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 10/02/2018
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit IPsec Driver
-**Applies to**
-- Windows 10
-- Windows Server 2016
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 179c4e5e22..7e372d5a0e 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 10/02/2018
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit IPsec Extended Mode
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index 092717cc70..675299ef05 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 10/02/2018
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit IPsec Main Mode
-**Applies to**
-- Windows 10
-- Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index fefab72132..982e294c4c 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 10/02/2018
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit IPsec Quick Mode
-**Applies to**
-- Windows 10
-- Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index 14495b2794..c4245be658 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Kerberos Authentication Service
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index 3bbaa165ef..71f4e995c9 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Kerberos Service Ticket Operations
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index f93ad96e33..7262c46dd7 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Kernel Object
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index a07a10fd9a..92a4bed8a5 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 07/16/2018
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Logoff
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index e87dd6ad1d..f3450fc499 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Logon
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index 5107277a3d..aac15f25fa 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit MPSSVC Rule-Level Policy Change
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index d6ac9d53e5..97911ece3f 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Network Policy Server
-**Applies to**
-- Windows 10
-- Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index 8cf59016dd..67ef50a903 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Non-Sensitive Privilege Use
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index 39fa1e83de..fa4413dbb7 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other Account Logon Events (Windows 10)
-description: The policy setting, Audit Other Account Logon Events, allows you to audit events generated by responses to credential requests for certain kinds of user logons.
+description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
ms.reviewer:
manager: dansimp
@@ -11,24 +11,19 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Other Account Logon Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
**General Subcategory Information:**
This auditing subcategory does not contain any events. It is intended for future use.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
-| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
-| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
+| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
+| Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
+| Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index bb5d7120a3..dfa2678034 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Other Account Management Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Other Account Management Events determines whether the operating system generates user account management audit events.
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index c123e22ef8..9314db237d 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Other Logon/Logoff Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index a485aa2d07..9131eff82e 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 05/29/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Other Object Access Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index 5f55e34285..9119efbc58 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Other Policy Change Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index 7e8dea77c3..46f053cae3 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Other Privilege Use Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 7554066d42..5d7042e1dc 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -11,17 +11,13 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Other System Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
+
Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
Audit Other System Events determines whether the operating system audits various system events.
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index 16b696e3a2..fa29bfac6d 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit PNP Activity
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit PNP Activity determines when Plug and Play detects an external device.
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 456c7082b1..b61b00d478 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Process Creation
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index 97b0a91741..72e92a74e0 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Process Termination
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Process Termination determines whether the operating system generates audit events when process has exited.
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 70a672e969..3c6407d9f5 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Registry
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index b0ec0466fe..1b527f37be 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Removable Storage
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](/windows/win32/secauthz/access-control-lists).
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index 59202d82fa..087ff6ed52 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit RPC Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 022b451082..df74e9eb71 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit SAM
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects.
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index c80fe834a9..db3bc5689b 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -11,15 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 02/28/2019
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Security Group Management
-**Applies to**
-- Windows 10
-- Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index 19614087bb..88a21e9a8b 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Security State Change
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index b787507ef4..057d504bc1 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Security System Extension
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events.
@@ -36,9 +32,9 @@ Attempts to install or load security system extensions or services are critical
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index fe6ad3206b..e54927afd1 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Sensitive Privilege Use
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index c852e45990..7cf389f177 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit Special Logon
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index f9be77c1eb..e4b357fa00 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit System Integrity
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index c53c887d1f..3d85c00f81 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -6,15 +6,11 @@ author: dansimp
ms.author: dansimp
ms.pagetype: security
ms.prod: m365-security
-ms.technology: mde
+ms.technology: windows-sec
---
# Audit Token Right Adjusted
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 145e04e477..e958273064 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit User Account Management
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 6051e50d2f..9b92a3022e 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit User/Device Claims
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 7e9d098f5d..e8f37ef2fc 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit account logon events
-**Applies to**
-- Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 5541fc0f63..1656e7f0eb 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit account management
-**Applies to**
-- Windows 10
Determines whether to audit each event of account management on a device.
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index e52e2e7382..37ea6c6cb7 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit directory service access
-**Applies to**
-- Windows 10
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index c730790cfa..01b1068234 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit logon events
-**Applies to**
-- Windows 10
Determines whether to audit each instance of a user logging on to or logging off from a device.
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index 7bb1357af3..713700f0c2 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit object access
-**Applies to**
-- Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index a04167e8c2..ab4eb9ba52 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit policy change
-**Applies to**
-- Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 4b6a28a415..9949cfab8d 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit privilege use
-**Applies to**
-- Windows 10
Determines whether to audit each instance of a user exercising a user right.
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index c2e1ff94ca..a1234e42c5 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit process tracking
-**Applies to**
-- Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 8c5e33028e..0f97e6acd1 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Audit system events
-**Applies to**
-- Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index fd291c792a..252459caae 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Basic security audit policies
-**Applies to**
-- Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 0ddb0a6152..37f8dddc0f 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/06/2021
+ms.technology: windows-sec
---
# Basic security audit policy settings
-**Applies to**
-- Windows 10
Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 526946d4b5..45befb2420 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create a basic audit policy for an event category
-**Applies to**
-- Windows 10
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index f3fbd46308..1a67e3d958 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1100(S): The event logging service has shut down.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index fecf1badde..51ff35f0c9 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1102(S): The audit log was cleared.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index 8d6a8dfd16..53c67d234b 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1104(S): The security log is now full.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index ca327249e4..ae939ee4ca 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1105(S): Event log automatic backup
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 440e411f38..7e9e4a1dd4 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 6372e6acc2..955c45883a 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4608(S): Windows is starting up.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index aba324fd61..4248720724 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4610(S): An authentication package has been loaded by the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index 50583e6f70..fe6ba0faa7 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index c4561550d5..151c9f9d71 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index ca4c161420..9b4a55bf5e 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4614(S): A notification package has been loaded by the Security Account Manager.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index 6c8f9cd7ac..ffcc91a1f2 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4615(S): Invalid use of LPC port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 690bde945f..4e13fb8824 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4616(S): The system time was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index c1bc41f942..f67334d36a 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4618(S): A monitored security event pattern has occurred.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index 9ffb0fee15..e4188be9df 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -7,18 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4621(S): Administrator recovered system from CrashOnAuditFail.
-**Applies to**
-- Windows 10
-- Windows Server 2016
This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index 46f54afcca..150ef448af 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4622(S): A security package has been loaded by the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
@@ -101,4 +97,4 @@ These are some Security Package DLLs loaded by default in Windows 10:
For 4622(S): A security package has been loaded by the Local Security Authority.
-- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not.
\ No newline at end of file
+- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index a61449dada..985c5b0e59 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4624(S): An account was successfully logged on.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index d613787ba3..9f97418b4d 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4625(F): An account failed to log on.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
@@ -186,7 +182,7 @@ This event generates on domain controllers, member servers, and workstations.
| 0x0 | Status OK. |
> [!NOTE]
-> To see the meaning of other status or substatus codes, you might also check for status code in the Window header file ntstatus.h in Windows SDK.
+> To see the meaning of other status or substatus codes, you might also check for status code in the Windows header file ntstatus.h in Windows SDK.
More information:
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index 667de4c561..be7bf13b02 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4626(S): User/Device claims information.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 4a4fce1919..b484de7d2d 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4627(S): Group membership information.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index b0541e2dbb..71887eccc4 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 11/20/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4634(S): An account was logged off.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 14dc2a7083..b30de5ea3f 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4647(S): User initiated logoff.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index 44eb565de4..7f4517f3d0 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4648(S): A logon was attempted using explicit credentials.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 06ae9ca1aa..f3b32117be 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4649(S): A replay attack was detected.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client.
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index 7332ad06b8..4da92be0ed 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4656(S, F): A handle to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index e0d0985203..9e788eb845 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4657(S): A registry value was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 85b56fb6d0..8f88502248 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4658(S): The handle to an object was closed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 7a921090fd..0be89f17f1 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4660(S): An object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index 27afd56d00..2485aae2b6 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4661(S, F): A handle to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index b9d488c090..5e9f6832a9 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4662(S, F): An operation was performed on an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index efa297ac08..8001bded3b 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4663(S): An attempt was made to access an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index 9c99e5f2bc..e998b508ce 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4664(S): An attempt was made to create a hard link.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index ea7d4dcf1e..059fde7e55 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4670(S): Permissions on an object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
index fb46f1fb5a..c1374cae22 100644
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ b/windows/security/threat-protection/auditing/event-4671.md
@@ -7,20 +7,16 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4671(-): An application attempted to access a blocked ordinal through the TBS.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
+*
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 479e31207b..af47315a26 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 12/20/2018
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4672(S): Special privileges assigned to new logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index cf5ef8d500..6252059b6d 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4673(S, F): A privileged service was called.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 734ce174c2..9f1b9914da 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4674(S, F): An operation was attempted on a privileged object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 0af7742f2c..47a81b9444 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4675(S): SIDs were filtered.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when SIDs were filtered for specific Active Directory trust.
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index fbb93d7b9b..fd44f24170 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4688(S): A new process has been created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index 99bee451d9..74412386d9 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4689(S): A process has exited.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
index d7a23d1da4..f588b637ce 100644
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ b/windows/security/threat-protection/auditing/event-4690.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4690(S): An attempt was made to duplicate a handle to an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index c7ea74bdd7..45e0209fc6 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4691(S): Indirect access to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 064c922cb4..f68457c377 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4692(S, F): Backup of data protection master key was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index 1359ef1968..21e769eae0 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4693(S, F): Recovery of data protection master key was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index 0b35bda1ba..1f64dc3491 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4694(S, F): Protection of auditable protected data was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index 9acd287be1..f4c77584c7 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4695(S, F): Unprotection of auditable protected data was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index f156dc723b..37ca02dd04 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4696(S): A primary token was assigned to process.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 870352146b..16ace0c0a6 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4697(S): A service was installed in the system.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 9ca662fa59..fae37ea9f2 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4698(S): A scheduled task was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index dd814dd942..dcea15f17d 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4699(S): A scheduled task was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index e72f7d19f0..2a46c16d19 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4700(S): A scheduled task was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index e407e2bbbb..e7bc488cc8 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4701(S): A scheduled task was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 15d128ceef..78fee18be6 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4702(S): A scheduled task was updated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index e8b7ecded9..938491bf3a 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4703(S): A user right was adjusted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index cb6b95669b..b76c240efe 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4704(S): A user right was assigned.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 5588e33560..b4ecb04b99 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4705(S): A user right was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index e0abbded89..5d2f62ef77 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4706(S): A new trust was created to a domain.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index f16f66bdcd..be0c79ea65 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4707(S): A trust to a domain was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index 032446b19b..d54358f133 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4713(S): Kerberos policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index d7c176a754..6ff804511a 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4714(S): Encrypted data recovery policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index d4e9d14839..6b6faa90fa 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4715(S): The audit policy (SACL) on an object was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 1cd47c82c4..7f058962db 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/04/2019
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4716(S): Trusted domain information was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index bd3378f122..33d3817929 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4717(S): System security access was granted to an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index 4c8c676ce4..a7e1307af2 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4718(S): System security access was removed from an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index 98469b6945..1a2dabdc7e 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4719(S): System audit policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index 1569aebb53..7e6fc9cb68 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4720(S): A user account was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index e156a9bedf..c29e7669bc 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4722(S): A user account was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
index 8a2eb1aa9b..1246930e5a 100644
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ b/windows/security/threat-protection/auditing/event-4723.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4723(S, F): An attempt was made to change an account's password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
index f360a13828..02d75f0b1d 100644
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ b/windows/security/threat-protection/auditing/event-4724.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4724(S, F): An attempt was made to reset an account's password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index 5be795b261..f5f7dac0af 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4725(S): A user account was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index f8f7ffba8c..0b050a132b 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4726(S): A user account was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
index 78d8e0e0c8..b4faf3a540 100644
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ b/windows/security/threat-protection/auditing/event-4731.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4731(S): A security-enabled local group was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index 2619367fa3..f81e218a6c 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4732(S): A member was added to a security-enabled local group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index 219ebdc036..a0d46b343b 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4733(S): A member was removed from a security-enabled local group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index df33b3726f..1e677a0bdc 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4734(S): A security-enabled local group was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index 14d1e6df28..a545b2f85b 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4735(S): A security-enabled local group was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index f62d7e4ba8..d78373e561 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4738(S): A user account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index e3268f4c69..23b0cf6823 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4739(S): Domain Policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index db7139e935..834f4b9ed5 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4740(S): A user account was locked out.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 6c83f23d1e..b35fb7facd 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4741(S): A computer account was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 5d0cda5110..1f1d3bee7a 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4742(S): A computer account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index 3402a5e1d7..76be20055b 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4743(S): A computer account was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
index 478ae9e021..71f28544ca 100644
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ b/windows/security/threat-protection/auditing/event-4749.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4749(S): A security-disabled global group was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index 1a8a03f92a..28a17fc94c 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4750(S): A security-disabled global group was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index cc06f2ae5d..d698721321 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4751(S): A member was added to a security-disabled global group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index ef79c01bca..2aa9dcd01a 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4752(S): A member was removed from a security-disabled global group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index 45b9de0d33..d8bb64a34a 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4753(S): A security-disabled global group was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 3b50ba9bf1..2cd0957d10 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -7,18 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4764(S): A group’s type was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index ff685d9081..f171b29603 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4765(S): SID History was added to an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when [SID History](/windows/win32/adschema/a-sidhistory) was added to an account.
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
index 7593423b22..9b0d0db5fe 100644
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ b/windows/security/threat-protection/auditing/event-4766.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4766(F): An attempt to add SID History to an account failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when an attempt to add [SID History](/windows/win32/adschema/a-sidhistory) to an account failed.
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index cf7b13e4f0..a7b6929712 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4767(S): A user account was unlocked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 64156ecd85..6846561482 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 10/20/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
:::image type="content" alt-text="Event 4768 illustration." source="images/event-4768.png":::
@@ -33,7 +29,7 @@ This event generates only on domain controllers.
If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
-This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
+This event doesn't generate for **Result Codes**: 0x10 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index 5c460724b8..c3ad787f9e 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4769(S, F): A Kerberos service ticket was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index ac38dc82f9..40f752135e 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4770(S): A Kerberos service ticket was renewed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index c5aea23ecb..e2b66d8905 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 07/23/2020
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4771(F): Kerberos pre-authentication failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
index 2124b16bb1..384ea2a5e0 100644
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ b/windows/security/threat-protection/auditing/event-4772.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4772(F): A Kerberos authentication ticket request failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
index ba672478d8..35ad7f2c6e 100644
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ b/windows/security/threat-protection/auditing/event-4773.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4773(F): A Kerberos service ticket request failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index 08eb0fe72f..d7e73812a8 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -7,18 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4774(S, F): An account was mapped for logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx).
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
index cf27ccdf2a..b635329953 100644
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ b/windows/security/threat-protection/auditing/event-4775.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4775(F): An account could not be mapped for logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index 8b9727aaa0..06430da291 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -11,15 +11,11 @@ ms.date: 09/13/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4776(S, F): The computer attempted to validate the credentials for an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
index 28a4b42d08..74b68ee4d4 100644
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ b/windows/security/threat-protection/auditing/event-4777.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4777(F): The domain controller failed to validate the credentials for an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index 8293e41487..085731bdc1 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4778(S): A session was reconnected to a Window Station.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index 29836498cc..ab9e18736c 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4779(S): A session was disconnected from a Window Station.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index 00faedae10..eb96a39284 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4780(S): The ACL was set on accounts which are members of administrators groups.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index 2adb3bcac5..9cea675049 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4781(S): The name of an account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index e0ecc19336..1079ddc301 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4782(S): The password hash of an account was accessed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index 4b75a802d5..13abde059c 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4793(S): The Password Policy Checking API was called.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
index 6e585048c1..a96c2d8aa5 100644
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ b/windows/security/threat-protection/auditing/event-4794.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
index 3fddfd9b65..d3885f4283 100644
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ b/windows/security/threat-protection/auditing/event-4798.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4798(S): A user's local group membership was enumerated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
index 18b337fcdc..1bdc01b928 100644
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ b/windows/security/threat-protection/auditing/event-4799.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4799(S): A security-enabled local group membership was enumerated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index 92c543f8b0..205a90c987 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4800(S): The workstation was locked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index ed7c8ec85c..0bfcfb1278 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4801(S): The workstation was unlocked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index 9f5fa2b8e3..78cf0e5d14 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4802(S): The screen saver was invoked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index 20304e4527..94aed424ab 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4803(S): The screen saver was dismissed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
index 9e36c52bb1..93576951c1 100644
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ b/windows/security/threat-protection/auditing/event-4816.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This message generates if RPC detected an integrity violation while decrypting an incoming message.
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index 0b0fc16bf7..dc9c07fb24 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4817(S): Auditing settings on object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index 05266e39e5..5ced098023 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index 3751b39e45..882622efa4 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4819(S): Central Access Policies on the machine have been changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 2e78b4c653..136684f355 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4826(S): Boot Configuration Data loaded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index ca1995291e..ea84a736a0 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4864(S): A namespace collision was detected.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is generated when a namespace collision was detected.
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
index 063eb88afc..a7e2a7189e 100644
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ b/windows/security/threat-protection/auditing/event-4865.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4865(S): A trusted forest information entry was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
index 922d662887..bd5bfba999 100644
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ b/windows/security/threat-protection/auditing/event-4866.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4866(S): A trusted forest information entry was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
index a8fdb4a693..170868681f 100644
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ b/windows/security/threat-protection/auditing/event-4867.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4867(S): A trusted forest information entry was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
index d5a7640b84..89eeb36eb6 100644
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ b/windows/security/threat-protection/auditing/event-4902.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4902(S): The Per-user audit policy table was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
index 268606eab6..02109612fd 100644
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ b/windows/security/threat-protection/auditing/event-4904.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4904(S): An attempt was made to register a security event source.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
index 65338f9f64..ead69b632a 100644
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ b/windows/security/threat-protection/auditing/event-4905.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4905(S): An attempt was made to unregister a security event source.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
index 49269c1eb3..676c32fbcc 100644
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ b/windows/security/threat-protection/auditing/event-4906.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4906(S): The CrashOnAuditFail value has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index e8f78c11b1..3ae2c8793f 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4907(S): Auditing settings on object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 3a12a949e0..e59ae0559b 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4908(S): Special Groups Logon table modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
index 9c3b067418..f85c02b5ec 100644
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ b/windows/security/threat-protection/auditing/event-4909.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4909(-): The local policy settings for the TBS were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
index 948c3a6dab..0cdca35e3e 100644
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ b/windows/security/threat-protection/auditing/event-4910.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4910(-): The group policy settings for the TBS were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index cf47c889e0..aeeaa0fdc0 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4911(S): Resource attributes of the object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index e4bc6d9d43..614b73a93f 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4912(S): Per User Audit Policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 51ff7291cb..bcc4c7eeee 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4913(S): Central Access Policy on the object was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 166bc42cf3..2899b77a51 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4928(S, F): An Active Directory replica source naming context was established.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index ab04f9ab17..8d4802ca42 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4929(S, F): An Active Directory replica source naming context was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index 3897b1bd01..ad5d6086a1 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4930(S, F): An Active Directory replica source naming context was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index dfb00ceb91..39a7be5a64 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4931(S, F): An Active Directory replica destination naming context was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index 13f42ce386..b686a7b13c 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index b4f0784a45..7fb4991241 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
index ffc4b9b4a3..65521bb868 100644
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ b/windows/security/threat-protection/auditing/event-4934.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4934(S): Attributes of an Active Directory object were replicated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when attributes of an Active Directory object were replicated.
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index f2910784e6..c939bc09ed 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4935(F): Replication failure begins.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index 3f808bf11d..37b1c8ca83 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4936(S): Replication failure ends.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when Active Directory replication failure ends.
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
index 2775be1c5d..f80f44586e 100644
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ b/windows/security/threat-protection/auditing/event-4937.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4937(S): A lingering object was removed from a replica.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when a [lingering object](https://support.microsoft.com/kb/910205) was removed from a replica.
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
index 3821d18e1b..34ca3f9e47 100644
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ b/windows/security/threat-protection/auditing/event-4944.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4944(S): The following policy was active when the Windows Firewall started.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
index da8105bffc..f5581407ab 100644
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ b/windows/security/threat-protection/auditing/event-4945.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4945(S): A rule was listed when the Windows Firewall started.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
index 30ae25fd28..505cec18fb 100644
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ b/windows/security/threat-protection/auditing/event-4946.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index b38eef6371..7d09cf4d23 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
index 5f92a37c6a..65c71e3cd4 100644
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ b/windows/security/threat-protection/auditing/event-4948.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
index e304844bc8..617b780983 100644
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ b/windows/security/threat-protection/auditing/event-4949.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4949(S): Windows Firewall settings were restored to the default values.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
index 54ead99c65..69db4a04e2 100644
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ b/windows/security/threat-protection/auditing/event-4950.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4950(S): A Windows Firewall setting has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
index 4a2c32b9e2..060b9c4b83 100644
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ b/windows/security/threat-protection/auditing/event-4951.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index 150a0ac97d..3c9322ae26 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 38d9aa6a3d..2d31faae0c 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4953(F): Windows Firewall ignored a rule because it could not be parsed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
index 99bb6457e2..67a7f024aa 100644
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ b/windows/security/threat-protection/auditing/event-4954.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
index 34d36fa5d0..bc90d17945 100644
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ b/windows/security/threat-protection/auditing/event-4956.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4956(S): Windows Firewall has changed the active profile.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
index 8b822ee84c..b83701e32b 100644
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ b/windows/security/threat-protection/auditing/event-4957.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4957(F): Windows Firewall did not apply the following rule.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
index 05922fd7a7..3fc2c85a83 100644
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ b/windows/security/threat-protection/auditing/event-4958.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied.
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index 0ee97ac194..969c9e219b 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4964(S): Special groups have been assigned to a new logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index c57db1916e..6af088c0bd 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4985(S): The state of a transaction has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
index b24cd95e31..46c44da725 100644
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ b/windows/security/threat-protection/auditing/event-5024.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5024(S): The Windows Firewall Service has started successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
index a9a3c5e14b..fbc702ac8e 100644
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ b/windows/security/threat-protection/auditing/event-5025.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5025(S): The Windows Firewall Service has been stopped.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index 4ea2177c6b..47a348cf77 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
index 9ab51ca985..65d5204a98 100644
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ b/windows/security/threat-protection/auditing/event-5028.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
index 46d9b7b3e7..89b6ca69bb 100644
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ b/windows/security/threat-protection/auditing/event-5029.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs an error if either the Windows Firewall service or its driver fails to start, or if they unexpectedly terminate. The error message indicates the cause of the service failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
index de68bc30db..9216275f2d 100644
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ b/windows/security/threat-protection/auditing/event-5030.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5030(F): The Windows Firewall Service failed to start.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index df9881e050..b54933cde7 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -10,17 +10,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-- Windows Server 2012 R2
-- Windows Server 2012
-
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
index a356c6ba72..c8b0bff151 100644
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ b/windows/security/threat-protection/auditing/event-5032.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future.
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
index 05552da629..dfbbcae025 100644
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ b/windows/security/threat-protection/auditing/event-5033.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5033(S): The Windows Firewall Driver has started successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
index 7cef4c54e0..e0815c5bd1 100644
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ b/windows/security/threat-protection/auditing/event-5034.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5034(S): The Windows Firewall Driver was stopped.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
index 6b9d8a9488..c6a382c517 100644
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ b/windows/security/threat-protection/auditing/event-5035.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5035(F): The Windows Firewall Driver failed to start.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
index a189ce3f21..d3542cd1d7 100644
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ b/windows/security/threat-protection/auditing/event-5037.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index 2dc28bef2e..dbb32f1459 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index fda19e5f16..7194197d62 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5039(-): A registry key was virtualized.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index 3ac07671d2..67f25e7071 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5051(-): A file was virtualized.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index a717d05e4a..59e64af10b 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5056(S): A cryptographic self-test was performed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
index c83ca8bd2e..625c998826 100644
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ b/windows/security/threat-protection/auditing/event-5057.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5057(F): A cryptographic primitive operation failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in case of CNG primitive operation failure.
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index b351ee93e6..7d3c14f3cc 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5058(S, F): Key file operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index 5881e672d5..3c79abb5d0 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5059(S, F): Key migration operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 11b9903d5d..9497f26ebf 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5060(F): Verification operation failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when the Cryptographic Next Generation (CNG) verification operation fails.
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index 7612017713..f90e6fd02e 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5061(S, F): Cryptographic operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
index e397844d41..3ac8412240 100644
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ b/windows/security/threat-protection/auditing/event-5062.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5062(S): A kernel-mode cryptographic self-test was performed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event occurs rarely, and in some situations may be difficult to reproduce.
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index e06e3118a6..7fc9f07b38 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5063(S, F): A cryptographic provider operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 077fadf9f7..0640bde11a 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5064(S, F): A cryptographic context operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 3a64e39e7f..99731361a2 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5065(S, F): A cryptographic context modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index 52fca7414b..a0faa27390 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5066(S, F): A cryptographic function operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index 245b241e69..82bd2b643c 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5067(S, F): A cryptographic function modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index 1cb02be991..54cfae4b8f 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5068(S, F): A cryptographic function provider operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index 742188905d..6a762e71a3 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5069(S, F): A cryptographic function property operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index 9893a7116b..2a77163002 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5070(S, F): A cryptographic function property modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index 1b62c11bab..5e7db9c0ed 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5136(S): A directory service object was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index 0146958e61..eea8bf1a17 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5137(S): A directory service object was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index 2553251b75..d9f97a7475 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5138(S): A directory service object was undeleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index c7f306eab0..3333139144 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5139(S): A directory service object was moved.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index 199e5a4cd7..29641fcca5 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5140(S, F): A network share object was accessed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index 7d85f444d4..11cada8ab0 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5141(S): A directory service object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index d29c26ddc4..c5503ee4fa 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5142(S): A network share object was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index bc8f827e03..bf370fffc3 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5143(S): A network share object was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 886dc70759..6d117910a1 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5144(S): A network share object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 933ab84191..8584f3f782 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5145(S, F): A network share object was checked to see whether client can be granted desired access.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index 23a31eb1a6..094f91e5f3 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 05/29/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected.
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
index 04f6c8747a..3be32e2a0c 100644
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ b/windows/security/threat-protection/auditing/event-5149.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 05/29/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5149(F): The DoS attack has subsided and normal processing is being resumed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended.
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 7e8b6a5cc1..fd48f85788 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5150(-): The Windows Filtering Platform blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if the Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 611541553e..ea0b6f1ba5 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if a more restrictive Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index cb8da40be3..1e2cec8711 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5152(F): The Windows Filtering Platform blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index ce3f53f60d..f9e60da5a0 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index ea9c8ea638..4cd691deaf 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index d00134db41..b4626b59c1 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself.
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index b7aa9709b2..f19c968a01 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5156(S): The Windows Filtering Platform has permitted a connection.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 73d84e9d53..e860f2729c 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5157(F): The Windows Filtering Platform has blocked a connection.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index d863b08c36..f2a088807e 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index fb896131ac..c66d53025f 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index bb9371baff..2fcad0a7f5 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5168(F): SPN check for SMB/SMB2 failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index 3cbb58cf29..bc903c2a89 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5376(S): Credential Manager credentials were backed up.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index 3be670da7b..0041df606e 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5377(S): Credential Manager credentials were restored from a backup.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index 0025f40837..10f783e194 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5378(F): The requested credentials delegation was disallowed by policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index 2b5c265e83..e20265f6c6 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5447(S): A Windows Filtering Platform filter has been changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index ad0e108238..565ff56e44 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5632(S, F): A request was made to authenticate to a wireless network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index ba78854b75..8c8496f31b 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5633(S, F): A request was made to authenticate to a wired network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index 5bb81e6f09..f3b0737f54 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5712(S): A Remote Procedure Call (RPC) was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 8d2ea38fcb..13679d5290 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5888(S): An object in the COM+ Catalog was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index e3d65ee453..afcf23ffbe 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5889(S): An object was deleted from the COM+ Catalog.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index 9b7a9f515c..8bf8b1a673 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5890(S): An object was added to the COM+ Catalog.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index 7565e8f794..045943bcdf 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6144(S): Security policy in the group policy objects has been applied successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index b70a0844a2..17484bcaf1 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index e6ec5bea59..a4404d8d5d 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index 511aeb3ae9..4579bf3a3f 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 829c3215c9..b7e9be68fc 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 2aee0f9232..43c3c34353 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index ec9028c852..d2fdd63838 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index eaa912b6e3..8398476eb6 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index fc188cce3b..e8efbf0ec1 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index 689085b2fd..5f556714d7 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index 3273efaba1..a5d377eb0e 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6407(-): 1%.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index 7b29a0468c..24596eef2a 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index 6855ea810d..776b12553b 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6409(-): BranchCache: A service connection point object could not be parsed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index a306a98882..bc2da0e57f 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
index 4b85673aa7..add5982ef7 100644
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ b/windows/security/threat-protection/auditing/event-6416.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6416(S): A new external device was recognized by the System.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
index 90c145ff77..0e7f44d997 100644
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ b/windows/security/threat-protection/auditing/event-6419.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6419(S): A request was made to disable a device.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 51570d3ab3..f8cccf22a7 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6420(S): A device was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
index ef4e0b856f..5b0e22342b 100644
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ b/windows/security/threat-protection/auditing/event-6421.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6421(S): A request was made to enable a device.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index 2b2f45d1b8..70ba147ede 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6422(S): A device was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
index 3332a01011..10cf86de89 100644
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ b/windows/security/threat-protection/auditing/event-6423.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6423(S): The installation of this device is forbidden by system policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
index 8ca1ce36d6..13af19c639 100644
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ b/windows/security/threat-protection/auditing/event-6424.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event occurs rarely, and in some situations may be difficult to reproduce.
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
index 1093140e38..a5df9bf707 100644
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# File System (Global Object Access Auditing)
-**Applies to**
-- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index 1efc819647..b8cc2220c9 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -7,17 +7,15 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
-ms.date: 10/22/2018
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# How to get a list of XML data name elements in EventData
-**Applies to**
-- Windows 10
The Security log uses a manifest where you can get all of the event schema.
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 3c07a1dae0..3dc75d64ed 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor central access policy and rule definitions
-**Applies to**
-- Windows 10
This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
index baf7d9e8a7..643795c7e2 100644
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ b/windows/security/threat-protection/auditing/monitor-claim-types.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor claim types
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
index ed4d03037f..1be153db59 100644
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor resource attribute definitions
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index f034f7c0fc..83ab6f2561 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor the central access policies associated with files and folders
-**Applies to**
-- Windows 10
This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index 12dedf0d60..a1780808e5 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor the central access policies that apply on a file server
-**Applies to**
-- Windows 10
This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management.
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
index f1676a1640..20be28d785 100644
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor the resource attributes on files and folders
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 04ac1c7929..ac76e18a1a 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date:
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor the use of removable storage devices
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
index edaf8e590f..865b1b5aaf 100644
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor user and device claims during sign-in
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
index e74cf80553..12044634fd 100644
--- a/windows/security/threat-protection/auditing/other-events.md
+++ b/windows/security/threat-protection/auditing/other-events.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Other Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Events in this section generate automatically and are enabled by default.
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index 068c8792d4..4f9f9b93e8 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Plan and deploy advanced security audit policies
-**Applies to**
-- Windows 10
This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
index 3c5c1ece1e..cd2acc181e 100644
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Registry (Global Object Access Auditing)
-**Applies to**
-- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer.
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index ec89d5ef53..1c305a4439 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Security auditing
-**Applies to**
-- Windows 10
Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 6e90c989e0..fe06c5d1a4 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Using advanced security auditing options to monitor dynamic access control objects
-**Applies to**
-- Windows 10
This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index 84a296e182..e934463906 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# View the security event log
-**Applies to**
-- Windows 10
The security log records each event as defined by the audit policies you set on each object.
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index 4b20841dd8..7917a249c2 100644
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Which editions of Windows support advanced audit policy configuration
-**Applies to**
-- Windows 10
Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
There is no difference in security auditing support between 32-bit and 64-bit versions.
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index c1ffec9b59..7057f8c90f 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -13,7 +13,7 @@ author: dansimp
ms.author: dansimp
ms.date: 08/14/2017
ms.localizationpriority: medium
-ms.technology: mde
+ms.technology: windows-sec
---
# Block untrusted fonts in an enterprise
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index ea4b252a30..ea7806d09a 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -12,7 +12,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/30/2021
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Enable virtualization-based protection of code integrity
@@ -54,8 +54,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
### Enable HVCI using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
+
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
+
3. Double-click **Turn on Virtualization Based Security**.
+
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
@@ -71,14 +74,17 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> [!IMPORTANT]
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
+>
+> In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
+>
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 10 version 1607 and later
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
-``` commands
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
@@ -94,49 +100,49 @@ If you want to customize the preceding recommended settings, use the following s
**To enable VBS**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
```
**To enable VBS and require Secure boot only (value 1)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
**To enable VBS with Secure Boot and DMA (value 3)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable VBS without UEFI lock (value 0)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
```
**To enable VBS with UEFI lock (value 1)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
```
@@ -144,7 +150,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
@@ -158,31 +164,31 @@ If you want to customize the preceding recommended settings, use the following s
**To enable VBS (it is always locked to UEFI)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
```
**To enable VBS and require Secure boot only (value 1)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
**To enable VBS with Secure Boot and DMA (value 3)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies without UEFI lock**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
@@ -190,7 +196,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG
Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
-`Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard`
+```powershell
+Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
+```
> [!NOTE]
> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
@@ -279,7 +287,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
-
+:::image type="content" alt-text="Windows Defender Device Guard properties in the System Summary." source="../images/dg-fig11-dgproperties.png" lightbox="../images/dg-fig11-dgproperties.png":::
## Troubleshooting
@@ -291,12 +299,15 @@ C. If you experience a critical error during boot or your system is unstable aft
## How to turn off HVCI
-1. Run the following command from an elevated prompt to set the HVCI registry key to off
-```ini
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
-```
-2. Restart the device.
-3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
+1. Run the following command from an elevated prompt to set the HVCI registry key to off:
+
+ ```console
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
+ ```
+
+1. Restart the device.
+
+1. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
## HVCI deployment in virtual machines
@@ -311,6 +322,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
### Requirements for running HVCI in Hyper-V virtual machines
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
-- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
+- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the HyperV role on the virtual machine, you must first install the HyperV role in a Windows nested virtualization environment.
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 0ecb7c4e45..21f2516780 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -10,7 +10,7 @@ ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Application Control and virtualization-based protection of code integrity
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 4065b2122a..bec34fe509 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -1,6 +1,6 @@
---
title: Deployment guidelines for Windows Defender Device Guard (Windows 10)
-description: Plan your deployment of Windows Defender Device Guard. Learn about hardware requirements, deployment approaches, code signing and code integrity policies.
+description: Plan your deployment of Hypervisor-Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies.
keywords: virtualization, security, malware
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ ms.topic: conceptual
ms.date: 10/20/2017
ms.reviewer:
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Baseline protections and additional qualifications for virtualization-based protection of code integrity
@@ -21,14 +21,14 @@ ms.technology: mde
**Applies to**
- Windows 10
-Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
+Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media.
> [!WARNING]
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
-The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
+The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
> [!NOTE]
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
@@ -42,9 +42,9 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
+| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features. |
-> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
+> **Important** The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide.
## Additional qualifications for improved security
@@ -76,4 +76,4 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. • UEFI runtime service must meet these requirements: • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. • PE sections need to be page-aligned in memory (not required for in non-volitile storage). • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and executable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
\ No newline at end of file
+| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 9b2b985db5..5c8dd1358e 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -1,7349 +1,7349 @@
----
-title: Federal Information Processing Standard (FIPS) 140 Validation
-description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
-ms.prod: m365-security
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.reviewer:
-ms.technology: mde
----
-
-# FIPS 140-2 Validation
-
-## FIPS 140-2 standard overview
-
-The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products.
-
-The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
-
-## Microsoft’s approach to FIPS 140-2 validation
-
-Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
-
-## Using Windows in a FIPS 140-2 approved mode of operation
-
-Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation, commonly referred to as "FIPS mode." If you turn on FIPS mode, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests are run according to FIPS 140-2 Section 4.9. They ensure that the modules are functioning properly.
-
-The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by FIPS mode. FIPS mode won't prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. FIPS mode is merely advisory for applications or components other than the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library.
-
-US government regulations continue to mandate FIPS mode for government devices running Windows. Other customers should decide for themselves if FIPS mode is right for them. There are many applications and protocols that use FIPS mode policy to determine which cryptographic functionality to run. Customers seeking to follow the FIPS 140-2 standard should research the configuration settings of their applications and protocols. This research will help ensure that they can be configured to use FIPS 140-2 validated cryptography.
-
-Achieving this FIPS 140-2 approved mode of operation of Windows requires administrators to complete all four steps outlined below.
-
-### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed
-
-Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. Tables listing validated modules, organized by operating system release, are available later in this article.
-
-### Step 2: Ensure all security policies for all cryptographic modules are followed
-
-Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found in the table of validated modules at the end of this article. Select the module version number to view the published SPD for the module.
-
-### Step 3: Enable the FIPS security policy
-
-Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](./security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
-
-### Step 4: Ensure that only FIPS validated cryptographic algorithms are used
-
-FIPS mode is enforced at the level of the application or service. It is not enforced by the operating system or by individual cryptographic modules. Applications or services running in FIPS mode must follow the security policies of validated modules. They must not use a cryptographic algorithm that isn't FIPS-compliant.
-
-In short, an application or service is running in FIPS mode if it:
-
-* Checks for the policy flag
-* Enforces security policies of validated modules
-
-## Frequently asked questions
-
-### How long does it take to certify a cryptographic module?
-
-Microsoft begins certification of cryptographic modules after each major feature release of Windows 10 and Windows Server. The duration of each evaluation varies, depending on many factors.
-
-### When does Microsoft undertake a FIPS 140 validation?
-
-The cadence for starting module validation aligns with the feature updates of Windows 10 and Windows Server. As the software industry evolves, operating systems release more frequently. Microsoft completes validation work on major releases but, in between releases, seeks to minimize the changes to the cryptographic modules.
-
-### What is the difference between *FIPS 140 validated* and *FIPS 140 compliant*?
-
-*FIPS 140 validated* means that the cryptographic module, or a product that embeds the module, has been validated ("certified") by the CMVP as meeting the FIPS 140-2 requirements. *FIPS 140 compliant* is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality.
-
-### How do I know if a Windows service or application is FIPS 140-2 validated?
-
-The cryptographic modules used in Windows are validated through the CMVP. They aren't validated by individual services, applications, hardware peripherals, or other solutions. Any compliant solution must call a FIPS 140-2 validated cryptographic module in the underlying OS, and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module.
-
-### What does *When operated in FIPS mode* mean on a certificate?
-
-This label means that certain configuration and security rules must be followed to use the cryptographic module in compliance with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module.
-
-### What is the relationship between FIPS 140-2 and Common Criteria?
-
-FIPS 140-2 and Common Criteria are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules. Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
-
-### How does FIPS 140 relate to Suite B?
-
-Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS approved cryptographic algorithms allowed by the FIPS 140-2 standard.
-
-### Is SMB3 (Server Message Block) FIPS 140 compliant in Windows?
-
-SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 mode on both client and server. In FIPS mode, SMB3 relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.
-
-## Microsoft FIPS 140-2 validated cryptographic modules
-
-The following tables identify the cryptographic modules used in an operating system, organized by release.
-
-## Modules used by Windows
-
-##### Windows 10 Fall 2018 Update (Version 1809)
-
-Validated Editions: Home, Pro, Enterprise, Education
-
-
-
-
-\[1\] Applies only to Home, Pro, Enterprise, Education, and S.
-
-\[2\] Applies only to Pro, Enterprise, Education, S, Mobile, and Surface Hub
-
-\[3\] Applies only to Pro, Enterprise, Education, and S
-
-##### Windows 10 Anniversary Update (Version 1607)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
-
-
-
-
-
-
-
-
-
-
-
Cryptographic Module
-
Version (link to Security Policy)
-
FIPS Certificate #
-
Algorithms
-
-
-
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
-
-
-\[1\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-
-\[2\] Applies only to Pro, Enterprise, Enterprise LTSB, and Mobile
-
-\[3\] Applies only to Pro, Enterprise, and Enterprise LTSB
-
-##### Windows 10 November 2015 Update (Version 1511)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
-
-
-
-
-
-
-
-
-
-
-
Cryptographic Module
-
Version (link to Security Policy)
-
FIPS Certificate #
-
Algorithms
-
-
-
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
-
-
-\[4\] Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
-
-\[5\] Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
-
-\[6\] Applies only to Home, Pro, and Enterprise
-
-\[7\] Applies only to Pro, Enterprise, Mobile, and Surface Hub
-
-\[8\] Applies only to Enterprise and Enterprise LTSB
-
-##### Windows 10 (Version 1507)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
-
-
-
-
-
-
-
-
-
-
-
Cryptographic Module
-
Version (link to Security Policy)
-
FIPS Certificate #
-
Algorithms
-
-
-
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
-
-
-\[9\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-
-\[10\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-
-\[11\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-
-\[12\] Applies only to Pro, Enterprise, and Enterprise LTSB
-
-\[13\] Applies only to Enterprise and Enterprise LTSB
-
-##### Windows 8.1
-
-Validated Editions: RT, Pro, Enterprise, Phone, Embedded
-
-
-
-
-
-
-
-
-
-
-
Cryptographic Module
-
Version (link to Security Policy)
-
FIPS Certificate #
-
Algorithms
-
-
-
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
FIPS approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)
-
Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-
-
-
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
-
-
-
-
-
-##### Windows Vista
-
-Validated Editions: Ultimate Edition
-
-
Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4
FIPS approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
-
-Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
-
-
-
-
-## Modules used by Windows Server
-
-##### Windows Server 2019 (Version 1809)
-
-Validated Editions: Standard, Datacenter
-
-
-
-
-\[16\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-\[17\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-**Windows Server 2012**
-
-Validated Editions: Server, Storage Server
-
-
Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4
Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5
-
-
-
-
-
-
-### Cryptographic Algorithms
-
-The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.
-
-### Advanced Encryption Standard (AES)
-
-
-
-
-
-
-
-
-
Modes / States / Key Sizes
-
Algorithm Implementation and Certificate #
-
-
-
-
AES-CBC:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CFB128:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CTR:
-
-
Counter Source: Internal
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-OFB:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
-
Microsoft Surface Hub Virtual TPM Implementations #4904
-
Version 10.0.15063.674
-
-
-
-
AES-CBC:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CFB128:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CTR:
-
-
Counter Source: Internal
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-OFB:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903
-
Version 10.0.16299
-
-
-
-
AES-CBC:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CCM:
-
-
Key Lengths: 128, 192, 256 (bits)
-
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-
Plain Text Length: 0-32
-
Additional authenticated data length: 0-65536
-
-
AES-CFB128:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CFB8:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CMAC:
-
-
Generation:
-
-
AES-128:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-192:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-256:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
-
Verification:
-
-
AES-128:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-192:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-256:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
-
-
AES-CTR:
-
-
Counter Source: Internal
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-ECB:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-GCM:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
Tag Lengths: 96, 104, 112, 120, 128 (bits)
-
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-
Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
-
96 bit IV supported
-
-
AES-XTS:
-
-
Key Size: 128:
-
-
Modes: Decrypt, Encrypt
-
Block Sizes: Full
-
-
Key Size: 256:
-
-
Modes: Decrypt, Encrypt
-
Block Sizes: Full
-
-
-
-
Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902
-
Version 10.0.15063.674
-
-
-
-
AES-CBC:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CCM:
-
-
Key Lengths: 128, 192, 256 (bits)
-
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-
Plain Text Length: 0-32
-
Additional authenticated data length: 0-65536
-
-
AES-CFB128:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CFB8:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CMAC:
-
-
Generation:
-
-
AES-128:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-192:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-256:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
-
Verification:
-
-
AES-128:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-192:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-256:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
-
-
AES-CTR:
-
-
Counter Source: Internal
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-ECB:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-GCM:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
Tag Lengths: 96, 104, 112, 120, 128 (bits)
-
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-
Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
-
96 bit IV supported
-
-
AES-XTS:
-
-
Key Size: 128:
-
-
Modes: Decrypt, Encrypt
-
Block Sizes: Full
-
-
Key Size: 256:
-
-
Modes: Decrypt, Encrypt
-
Block Sizes: Full
-
-
-
-
Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901
-
Version 10.0.15254
-
-
-
-
AES-CBC:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CCM:
-
-
Key Lengths: 128, 192, 256 (bits)
-
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-
Plain Text Length: 0-32
-
Additional authenticated data length: 0-65536
-
-
AES-CFB128:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CFB8:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-CMAC:
-
-
Generation:
-
-
AES-128:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-192:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-256:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
-
Verification:
-
-
AES-128:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-192:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
AES-256:
-
-
Block Sizes: Full, Partial
-
Message Length: 0-65536
-
Tag Length: 16-16
-
-
-
-
AES-CTR:
-
-
Counter Source: Internal
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-ECB:
-
-
Modes: Decrypt, Encrypt
-
Key Lengths: 128, 192, 256 (bits)
-
-
AES-GCM:
-
-
Modes: Decrypt, Encrypt
-
IV Generation: External
-
Key Lengths: 128, 192, 256 (bits)
-
Tag Lengths: 96, 104, 112, 120, 128 (bits)
-
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-
Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
-
96 bit IV supported
-
-
AES-XTS:
-
-
Key Size: 128:
-
-
Modes: Decrypt, Encrypt
-
Block Sizes: Full
-
-
Key Size: 256:
-
-
Modes: Decrypt, Encrypt
-
Block Sizes: Full
-
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897
-
Version 10.0.16299
-
-
-
AES-KW:
-
-
Modes: Decrypt, Encrypt
-
CIPHK transformation direction: Forward
-
Key Lengths: 128, 192, 256 (bits)
-
Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
-
(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
-
IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported
-
GMAC supported
-
XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
-
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
-
Version 10.0.15063
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
-
Version 7.00.2872
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
-
Version 8.00.6246
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
CTR (int only; 128, 192, 256)
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
-
Version 7.00.2872
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
CTR (int only; 128, 192, 256)
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
-
Version 8.00.6246
-
-
-
CBC (e/d; 128, 192, 256);
-
CFB128 (e/d; 128, 192, 256);
-
OFB (e/d; 128, 192, 256);
-
CTR (int only; 128, 192, 256)
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
-(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
-IV Generated: (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
-GMAC supported
-
XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
-
Version 10.0.14393
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
CFB8 (e/d; 128, 192, 256);
-
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
-Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
-
Version 10.0.10586
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
CFB8 (e/d; 128, 192, 256);
-
-
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
-Version 10.0.10586
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
-
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
-(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
-IV Generated: (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
-GMAC supported
-
XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
-
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
-Version 10.0.10240
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
CFB8 (e/d; 128, 192, 256);
-
-
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
-Version 10.0.10240
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
CFB8 (e/d; 128, 192, 256);
-
-
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations #2848
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
-
(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
-
IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported;
-OtherIVLen_Supported
-GMAC supported
-
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
-(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
-IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported
-GMAC supported
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
CFB8 (e/d; 128, 192, 256);
-
CFB128 (e/d; 128, 192, 256);
-
CTR (int only; 128, 192, 256)
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197
-
-
-
ECB (e/d; 128, 192, 256);
-
CBC (e/d; 128, 192, 256);
-
CFB8 (e/d; 128, 192, 256);
-
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733
-
Version 10.0.16299
-
-
-
-
Counter:
-
-
Modes: AES-256
-
Derivation Function States: Derivation Function used
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730
-
Version 10.0.16299
-
-
-
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4627)]
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4624)]
-
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
-
Version 10.0.15063
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4434)]
-
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
-
Version 7.00.2872
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4433)]
-
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
-
Version 8.00.6246
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4431)]
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
-
Version 7.00.2872
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4430)]
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
-
Version 8.00.6246
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4074)]
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
-
Version 10.0.14393
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4064)]
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
-
Version 10.0.14393
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3629)]
-
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
-
Version 10.0.10586
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3497)]
-
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
-
Version 10.0.10240
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2832)]
-
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
-
Version 6.3.9600
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2197)]
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 2023)]
-
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
-
-
-
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 1168)]
-
Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
FIPS186-4:
-PQG(gen)PARMS TESTED: [(2048,256)SHA(256); (3072,256) SHA(256)]
-PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
-SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
-SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 687.
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
-
-
-
FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1902
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 686.
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
-
Version 10.0.15063
-
-
-
FIPS186-4:
-PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
-PKV: CURVES(P-256 P-384 P-521)
-SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
-SHS:validation number 3649
-DRBG:validation number 1430
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
-
Version 7.00.2872
-
-
-
FIPS186-4:
-PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
-PKV: CURVES(P-256 P-384 P-521)
-SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
-SHS:validation number 3648
-DRBG:validation number 1429
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
-
Version 8.00.6246
-
-
-
FIPS186-4:
-PKG: CURVES(P-256 P-384 TestingCandidates)
-PKV: CURVES(P-256 P-384)
-SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
FIPS186-4:
-PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
-SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 341.
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341
FIPS186-4:
-PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
-SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
-SHS: validation number 1773
-DRBG: validation number 193
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 295.
-
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149
-
Version 10.0.16299
-
-
-
-
KAS ECC:
-
-
Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146
-
Version 10.0.16299
-
-
-
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration) SCHEMES [FullUnified (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC)]
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36
-
-
-
KAS (SP 800–56A)
-
key agreement
-
key establishment methodology provides 80 bits to 256 bits of encryption strength
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
-
-
-
-
-
-Random Number Generator (RNG)
-
-
-
-
-
-
-
-
-
Modes / States / Key Sizes
-
Algorithm Implementation and Certificate #
-
-
-
FIPS 186-2 General Purpose
-
[(x-Original); (SHA-1)]
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
-
-
-
FIPS 186-2
-[(x-Original); (SHA-1)]
-
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
-
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
-
Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
-
Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66
-
-
-
FIPS 186-2
-[(x-Change Notice); (SHA-1)]
-
FIPS 186-2 General Purpose
-[(x-Change Notice); (SHA-1)]
-
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
-
Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667
-
Version 10.0.16299
-
-
-
FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
-SHA validation number 3790
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1134.
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
-
-
-
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: #258
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
-SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1132.
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 23
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 559.
-
Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355
-
Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354
-
-
-
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 353.
-
Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
-
-
-
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: validation number 321
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 258.
-
Windows Vista RSA key generation implementation #258
Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
-
-
-
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]:
-SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 364
-Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 81.
-
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52
-
-
-
FIPS186-2:
-
– PKCS#1 v1.5, signature generation, and verification
-
– Mod sizes: 1024, 1536, 2048, 3072, 4096
-
– SHS: SHA–1/256/384/512
-
Windows XP, vendor-affirmed
-
Windows 2000, vendor-affirmed
-
-
-
-
-
-#### Secure Hash Standard (SHS)
-
-
-
-
-
-
-
-
-
Modes / States / Key Sizes
-
Algorithm Implementation and Certificate #
-
-
-
-
SHA-1:
-
-
Supports Empty Message
-
-
SHA-256:
-
-
Supports Empty Message
-
-
SHA-384:
-
-
Supports Empty Message
-
-
SHA-512:
-
-
Supports Empty Message
-
-
-
Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011
-
Version 10.0.15063.674
-
-
-
-
SHA-1:
-
-
Supports Empty Message
-
-
SHA-256:
-
-
Supports Empty Message
-
-
SHA-384:
-
-
Supports Empty Message
-
-
SHA-512:
-
-
Supports Empty Message
-
-
-
Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010
-
Version 10.0.15254
-
-
-
-
SHA-1:
-
-
Supports Empty Message
-
-
SHA-256:
-
-
Supports Empty Message
-
-
SHA-384:
-
-
Supports Empty Message
-
-
SHA-512:
-
-
Supports Empty Message
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
-Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
-Version 10.0.14393
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
-Version 10.0.10586
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
-Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
-Version 10.0.10240
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
-Version 10.0.10240
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
-Version 6.3.9600
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
-Version 6.3.9600
-
-
-
SHA-1 (BYTE-only)
-
SHA-256 (BYTE-only)
-
SHA-384 (BYTE-only)
-
SHA-512 (BYTE-only)
-
Implementation does not support zero-length (null) messages.
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902
Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558
-
Version 10.0.15063.674
-
-
-
-
TDES-CBC:
-
-
Modes: Decrypt, Encrypt
-
Keying Option: 1
-
-
TDES-CFB64:
-
-
Modes: Decrypt, Encrypt
-
Keying Option: 1
-
-
TDES-CFB8:
-
-
Modes: Decrypt, Encrypt
-
Keying Option: 1
-
-
TDES-ECB:
-
-
Modes: Decrypt, Encrypt
-
Keying Option: 1
-
-
-
Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557
-
Version 10.0.15254
-
-
-
-
TDES-CBC:
-
-
Modes: Decrypt, Encrypt
-
Keying Option: 1
-
-
TDES-CFB64:
-
-
Modes: Decrypt, Encrypt
-
Keying Option: 1
-
-
TDES-CFB8:
-
-
Modes: Decrypt, Encrypt
-
Keying Option: 1
-
-
TDES-ECB:
-
-
Modes: Decrypt, Encrypt
-
Keying Option: 1
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
-
Version 10.0.15063
-
-
-
TECB(KO 1 e/d);
-
TCBC(KO 1 e/d)
-
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
-
Version 8.00.6246
-
-
-
TECB(KO 1 e/d);
-
TCBC(KO 1 e/d)
-
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
-
Version 8.00.6246
-
-
-
TECB(KO 1 e/d);
-
TCBC(KO 1 e/d);
-
CTR (int only)
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
-
Version 7.00.2872
-
-
-
TECB(KO 1 e/d);
-
TCBC(KO 1 e/d)
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
-
Version 8.00.6246
-
-
-
TECB(KO 1 e/d);
-
TCBC(KO 1 e/d);
-
TCFB8(KO 1 e/d);
-
TCFB64(KO 1 e/d)
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
-
-
-
Version 10.0.14393
-
-
-
TECB(KO 1 e/d);
-
TCBC(KO 1 e/d);
-
TCFB8(KO 1 e/d);
-
TCFB64(KO 1 e/d)
-
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
-
-
-
Version 10.0.10586
-
-
-
TECB(KO 1 e/d);
-
TCBC(KO 1 e/d);
-
TCFB8(KO 1 e/d);
-
TCFB64(KO 1 e/d)
-
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
-
-
-
Version 10.0.10240
-
-
-
TECB(KO 1 e/d);
-
TCBC(KO 1 e/d);
-
TCFB8(KO 1 e/d);
-
TCFB64(KO 1 e/d)
-
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
-
Version 6.3.9600
-
-
-
TECB(e/d; KO 1, 2);
-
TCBC(e/d; KO 1, 2);
-
TCFB8(e/d; KO 1, 2);
-
TCFB64(e/d; KO 1, 2)
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387
-
-
-
TECB(e/d; KO 1, 2);
-
TCBC(e/d; KO 1, 2);
-
TCFB8(e/d; KO 1, 2)
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386
-
-
-
TECB(e/d; KO 1, 2);
-
TCBC(e/d; KO 1, 2);
-
TCFB8(e/d; KO 1, 2)
-
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846
-
-
-
TECB(e/d; KO 1, 2);
-
TCBC(e/d; KO 1, 2);
-
TCFB8(e/d; KO 1, 2)
-
Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656
-
-
-
TECB(e/d; KO 1, 2);
-
TCBC(e/d; KO 1, 2);
-
TCFB8(e/d; KO 1, 2)
-
Windows Vista Symmetric Algorithm Implementation #549
-
-
-
Triple DES MAC
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
-
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed
-
-
-
TECB(e/d; KO 1, 2);
-
TCBC(e/d; KO 1, 2)
-
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
-
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
-
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
-
Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677
-
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676
-
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675
-
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544
-
Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543
-
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542
-
Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526
-
Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517
-
Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381
-
Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370
-
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365
-
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315
-
Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201
-
Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199
-
Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192
-
Windows XP Microsoft Enhanced Cryptographic Provider #81
-
Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18
Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937 (Software Version: 10.0.14393)
-
Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936 (Software Version: 10.0.14393)
-
Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935 (Software Version: 10.0.14393)
-
Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931 (Software Version: 10.0.14393)
-
-
-
-
- PBKDF (vendor affirmed)
-
-
Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936 (Software Version: 10.0.14393)
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540
-
Version 6.3.9600
-
-
-
-
RSASP1:
-
-
Modulus Size: 2048 (bits)
-
Padding Algorithms: PKCS 1.5
-
-
-
Microsoft Surface Hub Virtual TPM Implementations #1519
-
Version 10.0.15063.674
-
-
-
-
RSASP1:
-
-
Modulus Size: 2048 (bits)
-
Padding Algorithms: PKCS 1.5
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518
-
Version 10.0.16299
-
-
-
-
RSADP:
-
-
Modulus Size: 2048 (bits)
-
-
-
Microsoft Surface Hub MsBignum Cryptographic Implementations #1517
-
Version 10.0.15063.674
-
-
-
-
RSASP1:
-
-
Modulus Size: 2048 (bits)
-
Padding Algorithms: PKCS 1.5
-
-
-
Microsoft Surface Hub MsBignum Cryptographic Implementations #1516
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503
-
Version 10.0.16299
-
-
-
-
RSADP:
-
-
Modulus Size: 2048 (bits)
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502
-
Version 10.0.16299
-
-
-
-
RSASP1:
-
-
Modulus Size: 2048 (bits)
-
Padding Algorithms: PKCS 1.5
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499
-
Version 10.0.16299
-
-
-
-
RSADP:
-
-
Modulus Size: 2048 (bits)
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498
-
Version 10.0.16299
-
-
-
-
-
RSASP1:
-
-
Modulus Size: 2048 (bits)
-
Padding Algorithms: PKCS 1.5
-
-
-
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1497
-
Version 10.0.16299
-
-
-
-
IKEv1:
-
-
Methods: Digital Signature, Pre-shared Key, Public Key Encryption
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
-
Version 10.0.16299
-
-
-
FIPS186-4 ECDSA
-
Signature Generation of hash sized messages
-
ECDSA SigGen Component: CURVES(P-256 P-384 P-521)
-
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
-Version 10.0. 15063
-
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
-Version 10.0. 15063
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
-Version 10.0.14393
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
-Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
-Version 10.0.10586
-
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
-Version 6.3.9600
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
-Version 10.0.15063
-
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
-Version 10.0.15063
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
-Version 10.0.14393
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
-Version 10.0.14393
-
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
-Version 10.0.10586
-
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
-Version 10.0.10240
-
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
-Version 6.3.9600
-
-
-
FIPS186-4 RSA; RSADP
-
RSADP Primitive
-
RSADP: (Mod2048)
-
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
-Version 10.0.15063
-
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
-Version 10.0.15063
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
-Version 10.0.14393
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
-Version 10.0.14393
-
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
-Version 10.0.10586
-
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
-Version 10.0.10240
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
-
Version 10.0.16299
-
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
-Version 10.0.15063
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
-Version 7.00.2872
-
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
-Version 8.00.6246
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
-Version 10.0.14393
-
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
-Version 10.0.10586
-
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
-Version 10.0.10240
-
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
-Version 6.3.9600
-
-
-
-
-## Contact
-
-fips@microsoft.com
-
-## References
-
-* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf))
-* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)
-* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
+---
+title: Federal Information Processing Standard (FIPS) 140 Validation
+description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
+ms.prod: m365-security
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.reviewer:
+ms.technology: windows-sec
+---
+
+# FIPS 140-2 Validation
+
+## FIPS 140-2 standard overview
+
+The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products.
+
+The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
+
+## Microsoft’s approach to FIPS 140-2 validation
+
+Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+
+## Using Windows in a FIPS 140-2 approved mode of operation
+
+Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation, commonly referred to as "FIPS mode." If you turn on FIPS mode, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests are run according to FIPS 140-2 Section 4.9. They ensure that the modules are functioning properly.
+
+The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by FIPS mode. FIPS mode won't prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. FIPS mode is merely advisory for applications or components other than the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library.
+
+US government regulations continue to mandate FIPS mode for government devices running Windows. Other customers should decide for themselves if FIPS mode is right for them. There are many applications and protocols that use FIPS mode policy to determine which cryptographic functionality to run. Customers seeking to follow the FIPS 140-2 standard should research the configuration settings of their applications and protocols. This research will help ensure that they can be configured to use FIPS 140-2 validated cryptography.
+
+Achieving this FIPS 140-2 approved mode of operation of Windows requires administrators to complete all four steps outlined below.
+
+### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed
+
+Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. Tables listing validated modules, organized by operating system release, are available later in this article.
+
+### Step 2: Ensure all security policies for all cryptographic modules are followed
+
+Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found in the table of validated modules at the end of this article. Select the module version number to view the published SPD for the module.
+
+### Step 3: Enable the FIPS security policy
+
+Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](./security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
+
+### Step 4: Ensure that only FIPS validated cryptographic algorithms are used
+
+FIPS mode is enforced at the level of the application or service. It is not enforced by the operating system or by individual cryptographic modules. Applications or services running in FIPS mode must follow the security policies of validated modules. They must not use a cryptographic algorithm that isn't FIPS-compliant.
+
+In short, an application or service is running in FIPS mode if it:
+
+* Checks for the policy flag
+* Enforces security policies of validated modules
+
+## Frequently asked questions
+
+### How long does it take to certify a cryptographic module?
+
+Microsoft begins certification of cryptographic modules after each major feature release of Windows 10 and Windows Server. The duration of each evaluation varies, depending on many factors.
+
+### When does Microsoft undertake a FIPS 140 validation?
+
+The cadence for starting module validation aligns with the feature updates of Windows 10 and Windows Server. As the software industry evolves, operating systems release more frequently. Microsoft completes validation work on major releases but, in between releases, seeks to minimize the changes to the cryptographic modules.
+
+### What is the difference between *FIPS 140 validated* and *FIPS 140 compliant*?
+
+*FIPS 140 validated* means that the cryptographic module, or a product that embeds the module, has been validated ("certified") by the CMVP as meeting the FIPS 140-2 requirements. *FIPS 140 compliant* is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality.
+
+### How do I know if a Windows service or application is FIPS 140-2 validated?
+
+The cryptographic modules used in Windows are validated through the CMVP. They aren't validated by individual services, applications, hardware peripherals, or other solutions. Any compliant solution must call a FIPS 140-2 validated cryptographic module in the underlying OS, and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module.
+
+### What does *When operated in FIPS mode* mean on a certificate?
+
+This label means that certain configuration and security rules must be followed to use the cryptographic module in compliance with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module.
+
+### What is the relationship between FIPS 140-2 and Common Criteria?
+
+FIPS 140-2 and Common Criteria are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules. Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
+
+### How does FIPS 140 relate to Suite B?
+
+Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS approved cryptographic algorithms allowed by the FIPS 140-2 standard.
+
+### Is SMB3 (Server Message Block) FIPS 140 compliant in Windows?
+
+SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 mode on both client and server. In FIPS mode, SMB3 relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.
+
+## Microsoft FIPS 140-2 validated cryptographic modules
+
+The following tables identify the cryptographic modules used in an operating system, organized by release.
+
+## Modules used by Windows
+
+##### Windows 10 Fall 2018 Update (Version 1809)
+
+Validated Editions: Home, Pro, Enterprise, Education
+
+
+
+
+\[1\] Applies only to Home, Pro, Enterprise, Education, and S.
+
+\[2\] Applies only to Pro, Enterprise, Education, S, Mobile, and Surface Hub
+
+\[3\] Applies only to Pro, Enterprise, Education, and S
+
+##### Windows 10 Anniversary Update (Version 1607)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
+
+
+
+
+
+
+
+
+
+
+
Cryptographic Module
+
Version (link to Security Policy)
+
FIPS Certificate #
+
Algorithms
+
+
+
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
+
+
+\[1\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
+
+\[2\] Applies only to Pro, Enterprise, Enterprise LTSB, and Mobile
+
+\[3\] Applies only to Pro, Enterprise, and Enterprise LTSB
+
+##### Windows 10 November 2015 Update (Version 1511)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
+
+
+
+
+
+
+
+
+
+
+
Cryptographic Module
+
Version (link to Security Policy)
+
FIPS Certificate #
+
Algorithms
+
+
+
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
+
+
+\[4\] Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
+
+\[5\] Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
+
+\[6\] Applies only to Home, Pro, and Enterprise
+
+\[7\] Applies only to Pro, Enterprise, Mobile, and Surface Hub
+
+\[8\] Applies only to Enterprise and Enterprise LTSB
+
+##### Windows 10 (Version 1507)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
+
+
+
+
+
+
+
+
+
+
+
Cryptographic Module
+
Version (link to Security Policy)
+
FIPS Certificate #
+
Algorithms
+
+
+
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
+
+
+\[9\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
+
+\[10\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
+
+\[11\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
+
+\[12\] Applies only to Pro, Enterprise, and Enterprise LTSB
+
+\[13\] Applies only to Enterprise and Enterprise LTSB
+
+##### Windows 8.1
+
+Validated Editions: RT, Pro, Enterprise, Phone, Embedded
+
+
+
+
+
+
+
+
+
+
+
Cryptographic Module
+
Version (link to Security Policy)
+
FIPS Certificate #
+
Algorithms
+
+
+
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
FIPS approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)
+
Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+
+
+
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
+
+
+
+
+
+##### Windows Vista
+
+Validated Editions: Ultimate Edition
+
+
Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4
FIPS approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
+
+Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
+
+
+
+
+## Modules used by Windows Server
+
+##### Windows Server 2019 (Version 1809)
+
+Validated Editions: Standard, Datacenter
+
+
+
+
+\[16\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+\[17\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+**Windows Server 2012**
+
+Validated Editions: Server, Storage Server
+
+
Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4
Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5
+
+
+
+
+
+
+### Cryptographic Algorithms
+
+The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.
+
+### Advanced Encryption Standard (AES)
+
+
+
+
+
+
+
+
+
Modes / States / Key Sizes
+
Algorithm Implementation and Certificate #
+
+
+
+
AES-CBC:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CFB128:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CTR:
+
+
Counter Source: Internal
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-OFB:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
+
Microsoft Surface Hub Virtual TPM Implementations #4904
+
Version 10.0.15063.674
+
+
+
+
AES-CBC:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CFB128:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CTR:
+
+
Counter Source: Internal
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-OFB:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903
+
Version 10.0.16299
+
+
+
+
AES-CBC:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CCM:
+
+
Key Lengths: 128, 192, 256 (bits)
+
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+
Plain Text Length: 0-32
+
Additional authenticated data length: 0-65536
+
+
AES-CFB128:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CFB8:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CMAC:
+
+
Generation:
+
+
AES-128:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-192:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-256:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
+
Verification:
+
+
AES-128:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-192:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-256:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
+
+
AES-CTR:
+
+
Counter Source: Internal
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-ECB:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-GCM:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
Tag Lengths: 96, 104, 112, 120, 128 (bits)
+
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+
Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
+
96 bit IV supported
+
+
AES-XTS:
+
+
Key Size: 128:
+
+
Modes: Decrypt, Encrypt
+
Block Sizes: Full
+
+
Key Size: 256:
+
+
Modes: Decrypt, Encrypt
+
Block Sizes: Full
+
+
+
+
Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902
+
Version 10.0.15063.674
+
+
+
+
AES-CBC:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CCM:
+
+
Key Lengths: 128, 192, 256 (bits)
+
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+
Plain Text Length: 0-32
+
Additional authenticated data length: 0-65536
+
+
AES-CFB128:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CFB8:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CMAC:
+
+
Generation:
+
+
AES-128:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-192:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-256:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
+
Verification:
+
+
AES-128:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-192:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-256:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
+
+
AES-CTR:
+
+
Counter Source: Internal
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-ECB:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-GCM:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
Tag Lengths: 96, 104, 112, 120, 128 (bits)
+
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+
Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
+
96 bit IV supported
+
+
AES-XTS:
+
+
Key Size: 128:
+
+
Modes: Decrypt, Encrypt
+
Block Sizes: Full
+
+
Key Size: 256:
+
+
Modes: Decrypt, Encrypt
+
Block Sizes: Full
+
+
+
+
Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901
+
Version 10.0.15254
+
+
+
+
AES-CBC:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CCM:
+
+
Key Lengths: 128, 192, 256 (bits)
+
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+
Plain Text Length: 0-32
+
Additional authenticated data length: 0-65536
+
+
AES-CFB128:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CFB8:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-CMAC:
+
+
Generation:
+
+
AES-128:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-192:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-256:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
+
Verification:
+
+
AES-128:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-192:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
AES-256:
+
+
Block Sizes: Full, Partial
+
Message Length: 0-65536
+
Tag Length: 16-16
+
+
+
+
AES-CTR:
+
+
Counter Source: Internal
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-ECB:
+
+
Modes: Decrypt, Encrypt
+
Key Lengths: 128, 192, 256 (bits)
+
+
AES-GCM:
+
+
Modes: Decrypt, Encrypt
+
IV Generation: External
+
Key Lengths: 128, 192, 256 (bits)
+
Tag Lengths: 96, 104, 112, 120, 128 (bits)
+
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+
Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
+
96 bit IV supported
+
+
AES-XTS:
+
+
Key Size: 128:
+
+
Modes: Decrypt, Encrypt
+
Block Sizes: Full
+
+
Key Size: 256:
+
+
Modes: Decrypt, Encrypt
+
Block Sizes: Full
+
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897
+
Version 10.0.16299
+
+
+
AES-KW:
+
+
Modes: Decrypt, Encrypt
+
CIPHK transformation direction: Forward
+
Key Lengths: 128, 192, 256 (bits)
+
Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
+
(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+
IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported
+
GMAC supported
+
XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
+
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
+
Version 10.0.15063
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
+
Version 7.00.2872
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
+
Version 8.00.6246
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
CTR (int only; 128, 192, 256)
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
+
Version 7.00.2872
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
CTR (int only; 128, 192, 256)
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
+
Version 8.00.6246
+
+
+
CBC (e/d; 128, 192, 256);
+
CFB128 (e/d; 128, 192, 256);
+
OFB (e/d; 128, 192, 256);
+
CTR (int only; 128, 192, 256)
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
+(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+IV Generated: (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
+GMAC supported
+
XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
+
Version 10.0.14393
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
CFB8 (e/d; 128, 192, 256);
+
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
+Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
+
Version 10.0.10586
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
CFB8 (e/d; 128, 192, 256);
+
+
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
+Version 10.0.10586
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
+
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
+(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+IV Generated: (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
+GMAC supported
+
XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
+
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
+Version 10.0.10240
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
CFB8 (e/d; 128, 192, 256);
+
+
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
+Version 10.0.10240
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
CFB8 (e/d; 128, 192, 256);
+
+
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations #2848
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
+
(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+
IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported;
+OtherIVLen_Supported
+GMAC supported
+
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
+(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported
+GMAC supported
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
CFB8 (e/d; 128, 192, 256);
+
CFB128 (e/d; 128, 192, 256);
+
CTR (int only; 128, 192, 256)
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197
+
+
+
ECB (e/d; 128, 192, 256);
+
CBC (e/d; 128, 192, 256);
+
CFB8 (e/d; 128, 192, 256);
+
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733
+
Version 10.0.16299
+
+
+
+
Counter:
+
+
Modes: AES-256
+
Derivation Function States: Derivation Function used
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730
+
Version 10.0.16299
+
+
+
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4627)]
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4624)]
+
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
+
Version 10.0.15063
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4434)]
+
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
+
Version 7.00.2872
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4433)]
+
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
+
Version 8.00.6246
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4431)]
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
+
Version 7.00.2872
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4430)]
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
+
Version 8.00.6246
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4074)]
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
+
Version 10.0.14393
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4064)]
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
+
Version 10.0.14393
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3629)]
+
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
+
Version 10.0.10586
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3497)]
+
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
+
Version 10.0.10240
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2832)]
+
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
+
Version 6.3.9600
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2197)]
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 2023)]
+
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
+
+
+
CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 1168)]
+
Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
FIPS186-4:
+PQG(gen)PARMS TESTED: [(2048,256)SHA(256); (3072,256) SHA(256)]
+PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 687.
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
+
+
+
FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1902
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 686.
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
+
Version 10.0.15063
+
+
+
FIPS186-4:
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
+PKV: CURVES(P-256 P-384 P-521)
+SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
+SHS:validation number 3649
+DRBG:validation number 1430
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
+
Version 7.00.2872
+
+
+
FIPS186-4:
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
+PKV: CURVES(P-256 P-384 P-521)
+SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
+SHS:validation number 3648
+DRBG:validation number 1429
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
+
Version 8.00.6246
+
+
+
FIPS186-4:
+PKG: CURVES(P-256 P-384 TestingCandidates)
+PKV: CURVES(P-256 P-384)
+SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
FIPS186-4:
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 341.
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341
FIPS186-4:
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+SHS: validation number 1773
+DRBG: validation number 193
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 295.
+
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149
+
Version 10.0.16299
+
+
+
+
KAS ECC:
+
+
Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146
+
Version 10.0.16299
+
+
+
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration) SCHEMES [FullUnified (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC)]
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36
+
+
+
KAS (SP 800–56A)
+
key agreement
+
key establishment methodology provides 80 bits to 256 bits of encryption strength
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
+
+
+
+
+
+Random Number Generator (RNG)
+
+
+
+
+
+
+
+
+
Modes / States / Key Sizes
+
Algorithm Implementation and Certificate #
+
+
+
FIPS 186-2 General Purpose
+
[(x-Original); (SHA-1)]
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
+
+
+
FIPS 186-2
+[(x-Original); (SHA-1)]
+
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
+
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
+
Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
+
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66
+
+
+
FIPS 186-2
+[(x-Change Notice); (SHA-1)]
+
FIPS 186-2 General Purpose
+[(x-Change Notice); (SHA-1)]
+
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
+
Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667
+
Version 10.0.16299
+
+
+
FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
+SHA validation number 3790
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1134.
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
+
+
+
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: #258
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1132.
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 23
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 559.
+
Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355
+
Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354
+
+
+
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 353.
+
Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
+
+
+
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: validation number 321
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 258.
+
Windows Vista RSA key generation implementation #258
Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
+
+
+
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]:
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 364
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 81.
+
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52
+
+
+
FIPS186-2:
+
– PKCS#1 v1.5, signature generation, and verification
+
– Mod sizes: 1024, 1536, 2048, 3072, 4096
+
– SHS: SHA–1/256/384/512
+
Windows XP, vendor-affirmed
+
Windows 2000, vendor-affirmed
+
+
+
+
+
+#### Secure Hash Standard (SHS)
+
+
+
+
+
+
+
+
+
Modes / States / Key Sizes
+
Algorithm Implementation and Certificate #
+
+
+
+
SHA-1:
+
+
Supports Empty Message
+
+
SHA-256:
+
+
Supports Empty Message
+
+
SHA-384:
+
+
Supports Empty Message
+
+
SHA-512:
+
+
Supports Empty Message
+
+
+
Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011
+
Version 10.0.15063.674
+
+
+
+
SHA-1:
+
+
Supports Empty Message
+
+
SHA-256:
+
+
Supports Empty Message
+
+
SHA-384:
+
+
Supports Empty Message
+
+
SHA-512:
+
+
Supports Empty Message
+
+
+
Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010
+
Version 10.0.15254
+
+
+
+
SHA-1:
+
+
Supports Empty Message
+
+
SHA-256:
+
+
Supports Empty Message
+
+
SHA-384:
+
+
Supports Empty Message
+
+
SHA-512:
+
+
Supports Empty Message
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
+Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
+Version 10.0.14393
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
+Version 10.0.10586
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
+Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
+Version 10.0.10240
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
+Version 10.0.10240
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
+Version 6.3.9600
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
+Version 6.3.9600
+
+
+
SHA-1 (BYTE-only)
+
SHA-256 (BYTE-only)
+
SHA-384 (BYTE-only)
+
SHA-512 (BYTE-only)
+
Implementation does not support zero-length (null) messages.
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902
Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558
+
Version 10.0.15063.674
+
+
+
+
TDES-CBC:
+
+
Modes: Decrypt, Encrypt
+
Keying Option: 1
+
+
TDES-CFB64:
+
+
Modes: Decrypt, Encrypt
+
Keying Option: 1
+
+
TDES-CFB8:
+
+
Modes: Decrypt, Encrypt
+
Keying Option: 1
+
+
TDES-ECB:
+
+
Modes: Decrypt, Encrypt
+
Keying Option: 1
+
+
+
Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557
+
Version 10.0.15254
+
+
+
+
TDES-CBC:
+
+
Modes: Decrypt, Encrypt
+
Keying Option: 1
+
+
TDES-CFB64:
+
+
Modes: Decrypt, Encrypt
+
Keying Option: 1
+
+
TDES-CFB8:
+
+
Modes: Decrypt, Encrypt
+
Keying Option: 1
+
+
TDES-ECB:
+
+
Modes: Decrypt, Encrypt
+
Keying Option: 1
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
+
Version 10.0.15063
+
+
+
TECB(KO 1 e/d);
+
TCBC(KO 1 e/d)
+
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
+
Version 8.00.6246
+
+
+
TECB(KO 1 e/d);
+
TCBC(KO 1 e/d)
+
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
+
Version 8.00.6246
+
+
+
TECB(KO 1 e/d);
+
TCBC(KO 1 e/d);
+
CTR (int only)
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
+
Version 7.00.2872
+
+
+
TECB(KO 1 e/d);
+
TCBC(KO 1 e/d)
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
+
Version 8.00.6246
+
+
+
TECB(KO 1 e/d);
+
TCBC(KO 1 e/d);
+
TCFB8(KO 1 e/d);
+
TCFB64(KO 1 e/d)
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
+
+
+
Version 10.0.14393
+
+
+
TECB(KO 1 e/d);
+
TCBC(KO 1 e/d);
+
TCFB8(KO 1 e/d);
+
TCFB64(KO 1 e/d)
+
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
+
+
+
Version 10.0.10586
+
+
+
TECB(KO 1 e/d);
+
TCBC(KO 1 e/d);
+
TCFB8(KO 1 e/d);
+
TCFB64(KO 1 e/d)
+
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
+
+
+
Version 10.0.10240
+
+
+
TECB(KO 1 e/d);
+
TCBC(KO 1 e/d);
+
TCFB8(KO 1 e/d);
+
TCFB64(KO 1 e/d)
+
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
+
Version 6.3.9600
+
+
+
TECB(e/d; KO 1, 2);
+
TCBC(e/d; KO 1, 2);
+
TCFB8(e/d; KO 1, 2);
+
TCFB64(e/d; KO 1, 2)
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387
+
+
+
TECB(e/d; KO 1, 2);
+
TCBC(e/d; KO 1, 2);
+
TCFB8(e/d; KO 1, 2)
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386
+
+
+
TECB(e/d; KO 1, 2);
+
TCBC(e/d; KO 1, 2);
+
TCFB8(e/d; KO 1, 2)
+
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846
+
+
+
TECB(e/d; KO 1, 2);
+
TCBC(e/d; KO 1, 2);
+
TCFB8(e/d; KO 1, 2)
+
Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656
+
+
+
TECB(e/d; KO 1, 2);
+
TCBC(e/d; KO 1, 2);
+
TCFB8(e/d; KO 1, 2)
+
Windows Vista Symmetric Algorithm Implementation #549
+
+
+
Triple DES MAC
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
+
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed
+
+
+
TECB(e/d; KO 1, 2);
+
TCBC(e/d; KO 1, 2)
+
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
+
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
+
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
+
Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677
+
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676
+
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675
+
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544
+
Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543
+
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542
+
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526
+
Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517
+
Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381
+
Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370
+
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365
+
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315
+
Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201
+
Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199
+
Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192
+
Windows XP Microsoft Enhanced Cryptographic Provider #81
+
Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18
Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937 (Software Version: 10.0.14393)
+
Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936 (Software Version: 10.0.14393)
+
Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935 (Software Version: 10.0.14393)
+
Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931 (Software Version: 10.0.14393)
+
+
+
+
+ PBKDF (vendor affirmed)
+
+
Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936 (Software Version: 10.0.14393)
+
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540
+
Version 6.3.9600
+
+
+
+
RSASP1:
+
+
Modulus Size: 2048 (bits)
+
Padding Algorithms: PKCS 1.5
+
+
+
Microsoft Surface Hub Virtual TPM Implementations #1519
+
Version 10.0.15063.674
+
+
+
+
RSASP1:
+
+
Modulus Size: 2048 (bits)
+
Padding Algorithms: PKCS 1.5
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518
+
Version 10.0.16299
+
+
+
+
RSADP:
+
+
Modulus Size: 2048 (bits)
+
+
+
Microsoft Surface Hub MsBignum Cryptographic Implementations #1517
+
Version 10.0.15063.674
+
+
+
+
RSASP1:
+
+
Modulus Size: 2048 (bits)
+
Padding Algorithms: PKCS 1.5
+
+
+
Microsoft Surface Hub MsBignum Cryptographic Implementations #1516
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503
+
Version 10.0.16299
+
+
+
+
RSADP:
+
+
Modulus Size: 2048 (bits)
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502
+
Version 10.0.16299
+
+
+
+
RSASP1:
+
+
Modulus Size: 2048 (bits)
+
Padding Algorithms: PKCS 1.5
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499
+
Version 10.0.16299
+
+
+
+
RSADP:
+
+
Modulus Size: 2048 (bits)
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498
+
Version 10.0.16299
+
+
+
+
+
RSASP1:
+
+
Modulus Size: 2048 (bits)
+
Padding Algorithms: PKCS 1.5
+
+
+
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1497
+
Version 10.0.16299
+
+
+
+
IKEv1:
+
+
Methods: Digital Signature, Pre-shared Key, Public Key Encryption
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
+
Version 10.0.16299
+
+
+
FIPS186-4 ECDSA
+
Signature Generation of hash sized messages
+
ECDSA SigGen Component: CURVES(P-256 P-384 P-521)
+
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
+Version 10.0. 15063
+
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
+Version 10.0. 15063
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
+Version 10.0.14393
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
+Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
+Version 10.0.10586
+
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
+Version 6.3.9600
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
+Version 10.0.15063
+
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
+Version 10.0.15063
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
+Version 10.0.14393
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
+Version 10.0.14393
+
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
+Version 10.0.10586
+
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
+Version 10.0.10240
+
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
+Version 6.3.9600
+
+
+
FIPS186-4 RSA; RSADP
+
RSADP Primitive
+
RSADP: (Mod2048)
+
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
+Version 10.0.15063
+
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
+Version 10.0.15063
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
+Version 10.0.14393
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
+Version 10.0.14393
+
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
+Version 10.0.10586
+
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
+Version 10.0.10240
Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
+
Version 10.0.16299
+
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
+Version 10.0.15063
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
+Version 7.00.2872
+
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
+Version 8.00.6246
+
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
+Version 10.0.14393
+
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
+Version 10.0.10586
+
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
+Version 10.0.10240
+
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
+Version 6.3.9600
+
+
+
+
+## Contact
+
+fips@microsoft.com
+
+## References
+
+* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf))
+* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)
+* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)
\ No newline at end of file
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
index 6b37a5a6a1..56c3058279 100644
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@@ -13,7 +13,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/25/2018
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Get Support
diff --git a/windows/security/threat-protection/images/simplified-sdl.png b/windows/security/threat-protection/images/simplified-sdl.png
new file mode 100644
index 0000000000..97c7448b8c
Binary files /dev/null and b/windows/security/threat-protection/images/simplified-sdl.png differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index f299d99657..7baa36b1a0 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,149 +1,51 @@
---
-title: Threat Protection (Windows 10)
-description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
-keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
+title: Windows threat protection
+description: Describes the security capabilities in Windows client focused on threat protection
+keywords: threat protection, Microsoft Defender Antivirus, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: dansimp
+author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
-# Threat Protection
+# Windows threat protection
**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
+- Windows 10
+- Windows 11
-[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud.
-**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+## Windows threat protection
-> [!TIP]
-> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](/enterprise-mobility-security/remote-work/).
+See the following articles to learn more about the different areas of Windows threat protection:
-
-
-
-
-
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
-
-**[Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-
-- [Threat & vulnerability management overview](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
-- [Get started](/microsoft-365/security/defender-endpoint/tvm-prerequisites)
-- [Access your security posture](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights)
-- [Improve your security posture and reduce risk](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
-- [Understand vulnerabilities on your devices](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
-
-
-
-**[Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
-
-- [Hardware based isolation](/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation)
-- [Application control](windows-defender-application-control/windows-defender-application-control.md)
-- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+- [Microsoft Defender Application Guard](\windows\security\threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md)
+- [Virtualization-based protection of code integrity](\windows\security\threat-protection\device-guard\enable-virtualization-based-protection-of-code-integrity.md)
+- [Application control](/windows-defender-application-control/windows-defender-application-control.md)
+- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
- [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)
- [Network protection](/microsoft-365/security/defender-endpoint/network-protection), [web protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
+- [Microsoft Defender SmartScreen](\windows\security\threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-overview.md)
- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
- [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
+- [Windows Sandbox](\windows\security\threat-protection\windows-sandbox\windows-sandbox-overview.md)
-
-
-**[Next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
+### Next-generation protection
+Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time.
- [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
- [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus)
- [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus)
- [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)
-- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
-
-
-
-**[Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections.
-
-- [Alerts](/microsoft-365/security/defender-endpoint/alerts-queue)
-- [Historical endpoint data](/microsoft-365/security/defender-endpoint/investigate-machines#timeline)
-- [Response orchestration](/microsoft-365/security/defender-endpoint/respond-machine-alerts)
-- [Forensic collection](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
-- [Threat intelligence](/microsoft-365/security/defender-endpoint/threat-indicator-concepts)
-- [Advanced detonation and analysis service](/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis)
-- [Advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview)
- - [Custom detections](/microsoft-365/security/defender-endpoint/overview-custom-detections)
-
-
-
-**[Automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)**
-In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-
-- [Get an overview of automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)
-- [Learn about automation levels](/microsoft-365/security/defender-endpoint/automation-levels)
-- [Configure automated investigation and remediation in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation)
-- [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center)
-- [Review remediation actions following an automated investigation](/microsoft-365/security/defender-endpoint/manage-auto-investigation)
-
-
-
-**[Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
-Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
-
-- [Targeted attack notification](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
-- [Experts-on-demand](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
-- [Configure your Microsoft 365 Defender managed hunting service](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts)
-
-
-
-**[Centralized configuration and administration, APIs](/microsoft-365/security/defender-endpoint/management-apis)**
-Integrate Microsoft Defender for Endpoint into your existing workflows.
-- [Onboarding](/microsoft-365/security/defender-endpoint/onboard-configure)
-- [API and SIEM integration](/microsoft-365/security/defender-endpoint/configure-siem)
-- [Exposed APIs](/microsoft-365/security/defender-endpoint/apis-intro)
-- [Role-based access control (RBAC)](/microsoft-365/security/defender-endpoint/rbac)
-- [Reporting and trends](/microsoft-365/security/defender-endpoint/threat-protection-reports)
-
-
-**[Integration with Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration)**
- Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
-- Intune
-- Microsoft Defender for Office 365
-- Microsoft Defender for Identity
-- Azure Defender
-- Skype for Business
-- Microsoft Cloud App Security
-
-
-**[Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
\ No newline at end of file
+- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml
deleted file mode 100644
index 78fea4eba3..0000000000
--- a/windows/security/threat-protection/intelligence/TOC.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-- name: Security intelligence
- href: index.md
- items:
- - name: Understand malware & other threats
- href: understanding-malware.md
- items:
- - name: Coin miners
- href: coinminer-malware.md
- - name: Exploits and exploit kits
- href: exploits-malware.md
- - name: Fileless threats
- href: fileless-threats.md
- - name: Macro malware
- href: macro-malware.md
- - name: Phishing attacks
- href: phishing.md
- items:
- - name: Phishing trends and techniques
- href: phishing-trends.md
- - name: Ransomware
- href: /security/compass/human-operated-ransomware
- - name: Rootkits
- href: rootkits-malware.md
- - name: Supply chain attacks
- href: supply-chain-malware.md
- - name: Tech support scams
- href: support-scams.md
- - name: Trojans
- href: trojans-malware.md
- - name: Unwanted software
- href: unwanted-software.md
- - name: Worms
- href: worms-malware.md
- - name: Prevent malware infection
- href: prevent-malware-infection.md
- - name: Malware naming convention
- href: malware-naming.md
- - name: How Microsoft identifies malware and PUA
- href: criteria.md
- - name: Submit files for analysis
- href: submission-guide.md
- - name: Troubleshoot malware submission
- href: portal-submission-troubleshooting.md
- - name: Safety Scanner download
- href: safety-scanner-download.md
- - name: Industry collaboration programs
- href: cybersecurity-industry-partners.md
- items:
- - name: Virus information alliance
- href: virus-information-alliance-criteria.md
- - name: Microsoft virus initiative
- href: virus-initiative-criteria.md
- - name: Coordinated malware eradication
- href: coordinated-malware-eradication.md
- - name: Information for developers
- items:
- - name: Software developer FAQ
- href: developer-faq.yml
- - name: Software developer resources
- href: developer-resources.md
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index 2f9e582a64..5e3a895186 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Coin miners
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index def1ec0b93..d765694f94 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
+ms.technology: windows-sec
---
# Coordinated Malware Eradication
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 381dc66ce4..1f07f8975c 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -13,8 +13,9 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 10/04/2021
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# How Microsoft identifies malware and potentially unwanted applications
@@ -174,7 +175,7 @@ Microsoft uses specific categories and the category definitions to classify soft
* **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
-* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies.
+* **Cryptomining software (Enterprise only):** Software that uses your device resources to mine cryptocurrencies.
* **Bundling software:** Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
index 6df748d442..9ad598b76d 100644
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
# Industry collaboration programs
diff --git a/windows/security/threat-protection/intelligence/developer-faq.yml b/windows/security/threat-protection/intelligence/developer-faq.yml
index 04300736d9..27ece7ec39 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.yml
+++ b/windows/security/threat-protection/intelligence/developer-faq.yml
@@ -16,7 +16,7 @@ metadata:
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
- ms.technology: mde
+ ms.technology: windows-sec
title: Software developer FAQ
summary: This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
@@ -55,6 +55,6 @@ sections:
Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
- question: |
- Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded?
+ Why does the Microsoft Defender SmartScreen say my program isn't commonly downloaded?
answer: |
- This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
+ This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index 3b7d080b28..4f489bae80 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
+ms.technology: windows-sec
---
# Software developer resources
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
index 3a88ecaf55..41086f1308 100644
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Exploits and exploit kits
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index b125773d18..7f84b0446c 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Fileless threats
diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md
index 7fce4cc28d..48b0faad6b 100644
--- a/windows/security/threat-protection/intelligence/index.md
+++ b/windows/security/threat-protection/intelligence/index.md
@@ -12,7 +12,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
# Security intelligence
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index 5bf655b20c..4421309156 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Macro malware
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index 3b37bdf391..d8c17ef82c 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Malware names
diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md
index 1785d95a38..097dbd3120 100644
--- a/windows/security/threat-protection/intelligence/phishing-trends.md
+++ b/windows/security/threat-protection/intelligence/phishing-trends.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Phishing trends and techniques
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 01c216b8fe..215acf8c29 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# How to protect against phishing attacks
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
index ae7c0e8363..ebccd09195 100644
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Troubleshooting malware submission errors caused by administrator block
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index 4b3b38c797..f5ee250869 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Prevent malware infection
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index 3a795c9074..250102afa9 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Rootkits
@@ -56,7 +56,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you have a rootkit that your antimalware software isn’t detecting, you may need an extra tool that lets you boot to a known trusted environment.
-[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly because of a possible malware infection.
+[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from the Windows Security app and has the latest antimalware updates from Microsoft. It’s designed to be used on devices that aren't working correctly because of a possible malware infection.
[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index 282c90bd86..b271e43bca 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft Safety Scanner
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 97dda7a1ad..4033a6633b 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Submit files for analysis
@@ -23,7 +23,7 @@ If you have a file that you suspect might be malware or is being incorrectly det
## How do I send a malware file to Microsoft?
-You can send us files that you think might be malware or files that have been incorrectly detected through the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission).
+You can send us files that you think might be malware or files that have been incorrectly detected through the [sample submission portal](https://www.microsoft.com/en-us/wdsi/filesubmission).
We receive a large number of samples from many sources. Our analysis is prioritized by the number of file detections and the type of submission. You can help us complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file.
@@ -31,7 +31,7 @@ After you sign in, you will be able to track your submissions.
## Can I send a sample by email?
-No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/wdsi/filesubmission).
+No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/en-us/wdsi/filesubmission).
## Can I submit a sample without signing in?
@@ -43,7 +43,7 @@ The [Software Assurance ID (SAID)](https://www.microsoft.com/licensing/licensing
### How do I dispute the detection of my program?
-[Submit the file](https://www.microsoft.com/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination.
+[Submit the file](https://www.microsoft.com/en-us/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination.
If you’re not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
@@ -51,7 +51,7 @@ We encourage all software vendors and developers to read about [how Microsoft id
## How do I track or view past sample submissions?
-You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
+You can track your submissions through the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
## What does the submission status mean?
@@ -63,7 +63,7 @@ Each submission is shown to be in one of the following status types:
* Closed—a final determination has been given by an analyst
-You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
+You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
## How does Microsoft prioritize submissions
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md
index edd8709cdf..69f77af00f 100644
--- a/windows/security/threat-protection/intelligence/supply-chain-malware.md
+++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Supply chain attacks
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index ffb5104d6c..07250bbc9c 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Tech support scams
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
index f2b7fe2a80..52b3552843 100644
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Trojans
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
index f98d44ceb7..04b637d62c 100644
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding malware & other threats
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
index 0083b9496c..9a26e42972 100644
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Unwanted software
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index 65a11f61ab..7d7b790bde 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
+ms.technology: windows-sec
---
# Virus Information Alliance
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index 83ca25908d..0441e00ed4 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -13,39 +13,32 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft Virus Initiative
-The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows.
-
-MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences.
+The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology and strategy.
## Become a member
-You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program:
+You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology.
-1. Offer an antimalware or antivirus product that meets one of the following criteria:
+To qualify for the MVI program, your organization must meet all the following requirements:
- * Your organization's own creation.
- * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality.
+1) Your security solution either replaces or compliments Microsoft Defender Antivirus.
-2. Have your own malware research team unless you build a product based on an SDK.
+2) Your organization is responsible for both developing and distributing app updates to end-customers that address compatibility with Windows.
-3. Be active and have a positive reputation in the antimalware industry.
+3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry-standard report such as AV-Comparatives, OPSWAT, or Gartner.
- * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner.
+4) Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
-4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
+5) Your organization must sign a program license agreement. Maintaining this license agreement requires that you adhere to all program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows.
-5. Be willing to sign a program license agreement.
+6) You must submit your app to Microsoft for periodic performance testing and feature review.
-6. Be willing to adhere to program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows.
-
-7. Submit your app to Microsoft for periodic performance testing.
-
-8. Certified through independent testing by at least one industry standard organization.
+7) Your solution must be certified through independent testing by at least one industry-standard organization, and yearly certification must be maintained.
Test Provider | Lab Test Type | Minimum Level / Score
------------- |---------------|----------------------
@@ -60,4 +53,4 @@ West Coast Labs | Checkmark Certified http://www.checkmarkcertified.com/sm
## Apply now
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRxusDUkejalGp0OAgRTWC7BUQVRYUEVMNlFZUjFaUDY2T1U1UDVVU1NKVi4u).
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index 2aa32ed8f6..0fb215f6b9 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
-ms.technology: mde
+ms.technology: windows-sec
---
# Worms
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 83a6f5e00b..406ee97c59 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -9,7 +9,7 @@ ms.author: dansimp
author: dansimp
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# What is Microsoft Baseline Security Analyzer and its uses?
diff --git a/windows/security/threat-protection/microsoft-bug-bounty-program.md b/windows/security/threat-protection/microsoft-bug-bounty-program.md
new file mode 100644
index 0000000000..70acd69970
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-bug-bounty-program.md
@@ -0,0 +1,22 @@
+---
+title: About the Microsoft Bug Bounty Program
+description: If you are a security researcher, you can get a reward for reporting a vulnerability in a Microsoft product, service, or device.
+ms.prod: m365-security
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.reviewer:
+ms.technology: windows-sec
+---
+
+# About the Microsoft Bug Bounty Program
+
+Are you a security researcher? Did you find a vulnerability in a Microsoft product, service, or device? If so, we want to hear from you!
+
+If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.
+
+Visit the [Microsoft Bug Bounty Program site](https://www.microsoft.com/en-us/msrc/bounty?rtc=1) for all the details!
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
index ee887e168a..e235cf65ec 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
@@ -3,13 +3,16 @@
items:
- name: System requirements
href: reqs-md-app-guard.md
- - name: Install WDAG
+ - name: Install Application Guard
href: install-md-app-guard.md
- - name: Configure WDAG policies
+ - name: Configure Application Guard policies
href: configure-md-app-guard.md
- name: Test scenarios
href: test-scenarios-md-app-guard.md
- name: Microsoft Defender Application Guard Extension
href: md-app-guard-browser-extension.md
- - name: FAQ
+ - name: Application Guard FAQ
href: faq-md-app-guard.yml
+- name: Windows security
+ href: /windows/security/
+
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 41284661d3..725a653863 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -1,5 +1,5 @@
---
-title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10)
+title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows)
description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -8,11 +8,11 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/16/2021
+ms.date: 09/20/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Configure Microsoft Defender Application Guard policy settings
@@ -20,6 +20,7 @@ ms.technology: mde
**Applies to:**
- Windows 10
+- Windows 11
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
@@ -52,13 +53,13 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
-|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally: - Disable the clipboard functionality completely when Virtualization Security is enabled. - Enable copying of certain content from Application Guard into Microsoft Edge. - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally: - Enable Application Guard to print into the XPS format. - Enable Application Guard to print into the PDF format. - Enable Application Guard to print to locally attached printers. - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.
**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:** 1. Open a command-line program and navigate to `Windows/System32`. 2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data. 3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options: - Enable Microsoft Defender Application Guard only for Microsoft Edge - Enable Microsoft Defender Application Guard only for Microsoft Office - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
-|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
+|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally: - Disable the clipboard functionality completely when Virtualization Security is enabled. - Enable copying of certain content from Application Guard into Microsoft Edge. - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally: - Enable Application Guard to print into the XPS format. - Enable Application Guard to print into the PDF format. - Enable Application Guard to print to locally attached printers. - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher
Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.
**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:** 1. Open a command-line program and navigate to `Windows/System32`. 2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data. 3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options: - Enable Microsoft Defender Application Guard only for Microsoft Edge - Enable Microsoft Defender Application Guard only for Microsoft Office - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
+|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher
Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
+|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 9ad53a26f5..867be41703 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -9,11 +9,11 @@ metadata:
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
- ms.date: 07/23/2021
+ ms.date: 09/30/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
- ms.technology: mde
+ ms.technology: windows-sec
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
@@ -171,11 +171,6 @@ sections:
10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
- - question: |
- Why can I not launch Application Guard when Exploit Guard is enabled?
- answer: |
- There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
-
- question: |
How can I disable portions of ICS without breaking Application Guard?
answer: |
@@ -217,6 +212,16 @@ sections:
Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
+ - question: |
+ I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this?
+ answer: |
+ WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps:
+
+ 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
+
+ 2. Reboot the device.
+
+
additionalContent: |
## See also
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 3b18ab25d3..2994f3ab96 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -1,5 +1,5 @@
---
-title: Enable hardware-based isolation for Microsoft Edge (Windows 10)
+title: Enable hardware-based isolation for Microsoft Edge (Windows)
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -8,17 +8,19 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 10/21/2020
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
-- - Windows 10
+
+- Windows 10
+- Windows 11
## Review system requirements
@@ -34,6 +36,7 @@ Before you can install and use Microsoft Defender Application Guard, you must de
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Pro edition, version 1803
+- Windows 11
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
@@ -41,6 +44,7 @@ Employees can use hardware-isolated browsing sessions without any administrator
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
+- Windows 11
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
@@ -66,7 +70,7 @@ Application Guard functionality is turned off by default. However, you can quick
>[!NOTE]
>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
-1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
+1. Click the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**.
2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
@@ -120,4 +124,4 @@ Application Guard functionality is turned off by default. However, you can quick
1. Click **Save**.
-After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
\ No newline at end of file
+After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index d507e47abf..2b7a3193ab 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -8,11 +8,11 @@ ms.pagetype: security
ms.localizationpriority: medium
author: martyav
ms.author: v-maave
-ms.date: 06/12/2020
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft Defender Application Guard Extension
@@ -20,10 +20,11 @@ ms.technology: mde
**Applies to:**
- Windows 10
+- Windows 11
[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
-[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
+[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
> [!TIP]
> Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
@@ -37,6 +38,7 @@ Microsoft Defender Application Guard Extension works with the following editions
- Windows 10 Professional
- Windows 10 Enterprise
- Windows 10 Education
+- Windows 11
Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 4ad66674a9..879c15353b 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,5 +1,5 @@
---
-title: Microsoft Defender Application Guard (Windows 10)
+title: Microsoft Defender Application Guard (Windows 10 or Windows 11)
description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -8,17 +8,19 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 01/27/2021
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft Defender Application Guard overview
**Applies to**
+
- Windows 10
+- Windows 11
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
@@ -54,4 +56,4 @@ Application Guard has been created to target several types of devices:
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
-|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
\ No newline at end of file
+|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index fb162b5632..d91da6e81c 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -8,17 +8,19 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 07/01/2021
+ms.date: 10/20/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# System requirements for Microsoft Defender Application Guard
**Applies to**
+
- Windows 10
+- Windows 11
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
@@ -43,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1809 or higher Windows 10 Professional edition, version 1809 or higher Windows 10 Professional for Workstations edition, version 1809 or higher Windows 10 Professional Education edition, version 1809 or higher Windows 10 Education edition, version 1809 or higher Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. |
+| Operating system | Windows 10 Enterprise edition, version 1809 or higher Windows 10 Professional edition, version 1809 or higher Windows 10 Professional for Workstations edition, version 1809 or higher Windows 10 Professional Education edition, version 1809 or higher Windows 10 Education edition, version 1809 or higher Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. Windows 11 |
| Browser | Microsoft Edge |
-| Management system (only for managed devices)| [Microsoft Intune](/intune/)
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |
+| Management system (only for managed devices)| [Microsoft Intune](/intune/)
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index d8ff39f397..cf455c976a 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -1,5 +1,5 @@
---
-title: Testing scenarios with Microsoft Defender Application Guard (Windows 10)
+title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11)
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -10,9 +10,9 @@ author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
-ms.date: 09/14/2020
+ms.date: 09/09/2021
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Application Guard testing scenarios
@@ -20,6 +20,7 @@ ms.technology: mde
**Applies to:**
- Windows 10
+- Windows 11
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
@@ -50,7 +51,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
### Install, set up, and turn on Application Guard
-Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
+Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](./install-md-app-guard.md#install-application-guard).
@@ -111,6 +112,7 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
+- Windows 11
#### Copy and paste options
@@ -169,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris
The previously added site should still appear in your **Favorites** list.
> [!NOTE]
- > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
+ > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
>
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
>
@@ -179,6 +181,7 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
+- Windows 11
#### Download options
@@ -210,12 +213,13 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
+- Windows 11
#### File trust options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting.
-2. Click **Enabled**, set **Options** to 2, and click **OK**.
+2. Click **Enabled**, set **Options** to **2**, and click **OK**.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 9229244aa8..14c78b9fa8 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -11,7 +11,7 @@ ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index baf718b6fe..8b9946ec0d 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -11,7 +11,7 @@ audience: ITPro
ms.localizationpriority: high
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft Defender SmartScreen
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
index 416b3ffd6e..a73abf03ff 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
@@ -11,7 +11,7 @@ ms.date: 10/13/2017
ms.reviewer:
manager: dansimp
ms.author: macapara
-ms.technology: mde
+ms.technology: windows-sec
---
# Set up and use Microsoft Defender SmartScreen on individual devices
diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md
new file mode 100644
index 0000000000..df8eacefc1
--- /dev/null
+++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md
@@ -0,0 +1,31 @@
+---
+title: Microsoft Security Development Lifecycle
+description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development.
+ms.prod: m365-security
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.reviewer:
+ms.technology: windows-sec
+---
+
+# Microsoft Security Development Lifecycle
+
+The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
+
+[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl)
+
+Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process.
+
+The Microsoft SDL is based on three core concepts:
+- Education
+- Continuous process improvement
+- Accountability
+
+To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl).
+
+And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://go.microsoft.com/?linkid=9708425).
\ No newline at end of file
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index c2a1d31b98..33712bcefa 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.sitesec: library
author: dulcemontemayor
ms.localizationpriority: medium
-ms.technology: mde
+ms.technology: windows-sec
---
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 0a9058b91d..e783eedfcd 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -10,7 +10,7 @@ author: dansimp
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Mitigate threats by using Windows 10 security features
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index e24bb48367..21a31de5bd 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -13,7 +13,7 @@ ms.pagetype: security, devices
author: dulcemontemayor
ms.date: 10/13/2017
ms.localizationpriority: medium
-ms.technology: mde
+ms.technology: windows-sec
---
# Control the health of Windows 10-based devices
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 164d2ee773..a2c720f8da 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -13,7 +13,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/21/2019
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft Security Compliance Toolkit 1.0
diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml
new file mode 100644
index 0000000000..1ddc477ef1
--- /dev/null
+++ b/windows/security/threat-protection/security-policy-settings/TOC.yml
@@ -0,0 +1,351 @@
+ - name: Security policy settings
+ href: security-policy-settings.md
+ items:
+ - name: Administer security policy settings
+ href: administer-security-policy-settings.md
+ items:
+ - name: Network List Manager policies
+ href: network-list-manager-policies.md
+ - name: Configure security policy settings
+ href: how-to-configure-security-policy-settings.md
+ - name: Security policy settings reference
+ href: security-policy-settings-reference.md
+ items:
+ - name: Account Policies
+ href: account-policies.md
+ items:
+ - name: Password Policy
+ href: password-policy.md
+ items:
+ - name: Enforce password history
+ href: enforce-password-history.md
+ - name: Maximum password age
+ href: maximum-password-age.md
+ - name: Minimum password age
+ href: minimum-password-age.md
+ - name: Minimum password length
+ href: minimum-password-length.md
+ - name: Password must meet complexity requirements
+ href: password-must-meet-complexity-requirements.md
+ - name: Store passwords using reversible encryption
+ href: store-passwords-using-reversible-encryption.md
+ - name: Account Lockout Policy
+ href: account-lockout-policy.md
+ items:
+ - name: Account lockout duration
+ href: account-lockout-duration.md
+ - name: Account lockout threshold
+ href: account-lockout-threshold.md
+ - name: Reset account lockout counter after
+ href: reset-account-lockout-counter-after.md
+ - name: Kerberos Policy
+ href: kerberos-policy.md
+ items:
+ - name: Enforce user logon restrictions
+ href: enforce-user-logon-restrictions.md
+ - name: Maximum lifetime for service ticket
+ href: maximum-lifetime-for-service-ticket.md
+ - name: Maximum lifetime for user ticket
+ href: maximum-lifetime-for-user-ticket.md
+ - name: Maximum lifetime for user ticket renewal
+ href: maximum-lifetime-for-user-ticket-renewal.md
+ - name: Maximum tolerance for computer clock synchronization
+ href: maximum-tolerance-for-computer-clock-synchronization.md
+ - name: Audit Policy
+ href: audit-policy.md
+ - name: Security Options
+ href: security-options.md
+ items:
+ - name: "Accounts: Administrator account status"
+ href: accounts-administrator-account-status.md
+ - name: "Accounts: Block Microsoft accounts"
+ href: accounts-block-microsoft-accounts.md
+ - name: "Accounts: Guest account status"
+ href: accounts-guest-account-status.md
+ - name: "Accounts: Limit local account use of blank passwords to console logon only"
+ href: accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+ - name: "Accounts: Rename administrator account"
+ href: accounts-rename-administrator-account.md
+ - name: "Accounts: Rename guest account"
+ href: accounts-rename-guest-account.md
+ - name: "Audit: Audit the access of global system objects"
+ href: audit-audit-the-access-of-global-system-objects.md
+ - name: "Audit: Audit the use of Backup and Restore privilege"
+ href: audit-audit-the-use-of-backup-and-restore-privilege.md
+ - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"
+ href: audit-force-audit-policy-subcategory-settings-to-override.md
+ - name: "Audit: Shut down system immediately if unable to log security audits"
+ href: audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+ - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax"
+ href: dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+ - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax"
+ href: dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+ - name: "Devices: Allow undock without having to log on"
+ href: devices-allow-undock-without-having-to-log-on.md
+ - name: "Devices: Allowed to format and eject removable media"
+ href: devices-allowed-to-format-and-eject-removable-media.md
+ - name: "Devices: Prevent users from installing printer drivers"
+ href: devices-prevent-users-from-installing-printer-drivers.md
+ - name: "Devices: Restrict CD-ROM access to locally logged-on user only"
+ href: devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+ - name: "Devices: Restrict floppy access to locally logged-on user only"
+ href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+ - name: "Domain controller: Allow server operators to schedule tasks"
+ href: domain-controller-allow-server-operators-to-schedule-tasks.md
+ - name: "Domain controller: LDAP server signing requirements"
+ href: domain-controller-ldap-server-signing-requirements.md
+ - name: "Domain controller: Refuse machine account password changes"
+ href: domain-controller-refuse-machine-account-password-changes.md
+ - name: "Domain member: Digitally encrypt or sign secure channel data (always)"
+ href: domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+ - name: "Domain member: Digitally encrypt secure channel data (when possible)"
+ href: domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+ - name: "Domain member: Digitally sign secure channel data (when possible)"
+ href: domain-member-digitally-sign-secure-channel-data-when-possible.md
+ - name: "Domain member: Disable machine account password changes"
+ href: domain-member-disable-machine-account-password-changes.md
+ - name: "Domain member: Maximum machine account password age"
+ href: domain-member-maximum-machine-account-password-age.md
+ - name: "Domain member: Require strong (Windows 2000 or later) session key"
+ href: domain-member-require-strong-windows-2000-or-later-session-key.md
+ - name: "Interactive logon: Display user information when the session is locked"
+ href: interactive-logon-display-user-information-when-the-session-is-locked.md
+ - name: "Interactive logon: Don't display last signed-in"
+ href: interactive-logon-do-not-display-last-user-name.md
+ - name: "Interactive logon: Don't display username at sign-in"
+ href: interactive-logon-dont-display-username-at-sign-in.md
+ - name: "Interactive logon: Do not require CTRL+ALT+DEL"
+ href: interactive-logon-do-not-require-ctrl-alt-del.md
+ - name: "Interactive logon: Machine account lockout threshold"
+ href: interactive-logon-machine-account-lockout-threshold.md
+ - name: "Interactive logon: Machine inactivity limit"
+ href: interactive-logon-machine-inactivity-limit.md
+ - name: "Interactive logon: Message text for users attempting to log on"
+ href: interactive-logon-message-text-for-users-attempting-to-log-on.md
+ - name: "Interactive logon: Message title for users attempting to log on"
+ href: interactive-logon-message-title-for-users-attempting-to-log-on.md
+ - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
+ href: interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+ - name: "Interactive logon: Prompt user to change password before expiration"
+ href: interactive-logon-prompt-user-to-change-password-before-expiration.md
+ - name: "Interactive logon: Require Domain Controller authentication to unlock workstation"
+ href: interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+ - name: "Interactive logon: Require smart card"
+ href: interactive-logon-require-smart-card.md
+ - name: "Interactive logon: Smart card removal behavior"
+ href: interactive-logon-smart-card-removal-behavior.md
+ - name: "Microsoft network client: Digitally sign communications (always)"
+ href: microsoft-network-client-digitally-sign-communications-always.md
+ - name: "SMBv1 Microsoft network client: Digitally sign communications (always)"
+ href: smbv1-microsoft-network-client-digitally-sign-communications-always.md
+ - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)"
+ href: smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+ - name: "Microsoft network client: Send unencrypted password to third-party SMB servers"
+ href: microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+ - name: "Microsoft network server: Amount of idle time required before suspending session"
+ href: microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+ - name: "Microsoft network server: Attempt S4U2Self to obtain claim information"
+ href: microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+ - name: "Microsoft network server: Digitally sign communications (always)"
+ href: microsoft-network-server-digitally-sign-communications-always.md
+ - name: "SMBv1 Microsoft network server: Digitally sign communications (always)"
+ href: smbv1-microsoft-network-server-digitally-sign-communications-always.md
+ - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)"
+ href: smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+ - name: "Microsoft network server: Disconnect clients when logon hours expire"
+ href: microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+ - name: "Microsoft network server: Server SPN target name validation level"
+ href: microsoft-network-server-server-spn-target-name-validation-level.md
+ - name: "Network access: Allow anonymous SID/Name translation"
+ href: network-access-allow-anonymous-sidname-translation.md
+ - name: "Network access: Do not allow anonymous enumeration of SAM accounts"
+ href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+ - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares"
+ href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+ - name: "Network access: Do not allow storage of passwords and credentials for network authentication"
+ href: network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+ - name: "Network access: Let Everyone permissions apply to anonymous users"
+ href: network-access-let-everyone-permissions-apply-to-anonymous-users.md
+ - name: "Network access: Named Pipes that can be accessed anonymously"
+ href: network-access-named-pipes-that-can-be-accessed-anonymously.md
+ - name: "Network access: Remotely accessible registry paths"
+ href: network-access-remotely-accessible-registry-paths.md
+ - name: "Network access: Remotely accessible registry paths and subpaths"
+ href: network-access-remotely-accessible-registry-paths-and-subpaths.md
+ - name: "Network access: Restrict anonymous access to Named Pipes and Shares"
+ href: network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+ - name: "Network access: Restrict clients allowed to make remote calls to SAM"
+ href: network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+ - name: "Network access: Shares that can be accessed anonymously"
+ href: network-access-shares-that-can-be-accessed-anonymously.md
+ - name: "Network access: Sharing and security model for local accounts"
+ href: network-access-sharing-and-security-model-for-local-accounts.md
+ - name: "Network security: Allow Local System to use computer identity for NTLM"
+ href: network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+ - name: "Network security: Allow LocalSystem NULL session fallback"
+ href: network-security-allow-localsystem-null-session-fallback.md
+ - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities"
+ href: network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+ - name: "Network security: Configure encryption types allowed for Kerberos"
+ href: network-security-configure-encryption-types-allowed-for-kerberos.md
+ - name: "Network security: Do not store LAN Manager hash value on next password change"
+ href: network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+ - name: "Network security: Force logoff when logon hours expire"
+ href: network-security-force-logoff-when-logon-hours-expire.md
+ - name: "Network security: LAN Manager authentication level"
+ href: network-security-lan-manager-authentication-level.md
+ - name: "Network security: LDAP client signing requirements"
+ href: network-security-ldap-client-signing-requirements.md
+ - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"
+ href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+ - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"
+ href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+ - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication"
+ href: network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+ - name: "Network security: Restrict NTLM: Add server exceptions in this domain"
+ href: network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+ - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic"
+ href: network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+ - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain"
+ href: network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+ - name: "Network security: Restrict NTLM: Incoming NTLM traffic"
+ href: network-security-restrict-ntlm-incoming-ntlm-traffic.md
+ - name: "Network security: Restrict NTLM: NTLM authentication in this domain"
+ href: network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+ - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers"
+ href: network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+ - name: "Recovery console: Allow automatic administrative logon"
+ href: recovery-console-allow-automatic-administrative-logon.md
+ - name: "Recovery console: Allow floppy copy and access to all drives and folders"
+ href: recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+ - name: "Shutdown: Allow system to be shut down without having to log on"
+ href: shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+ - name: "Shutdown: Clear virtual memory pagefile"
+ href: shutdown-clear-virtual-memory-pagefile.md
+ - name: "System cryptography: Force strong key protection for user keys stored on the computer"
+ href: system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+ - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
+ href: system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+ - name: "System objects: Require case insensitivity for non-Windows subsystems"
+ href: system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+ - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)"
+ href: system-objects-strengthen-default-permissions-of-internal-system-objects.md
+ - name: "System settings: Optional subsystems"
+ href: system-settings-optional-subsystems.md
+ - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies"
+ href: system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+ - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account"
+ href: user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+ - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop"
+ href: user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+ - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
+ href: user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+ - name: "User Account Control: Behavior of the elevation prompt for standard users"
+ href: user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+ - name: "User Account Control: Detect application installations and prompt for elevation"
+ href: user-account-control-detect-application-installations-and-prompt-for-elevation.md
+ - name: "User Account Control: Only elevate executables that are signed and validated"
+ href: user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+ - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations"
+ href: user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+ - name: "User Account Control: Run all administrators in Admin Approval Mode"
+ href: user-account-control-run-all-administrators-in-admin-approval-mode.md
+ - name: "User Account Control: Switch to the secure desktop when prompting for elevation"
+ href: user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+ - name: "User Account Control: Virtualize file and registry write failures to per-user locations"
+ href: user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+ - name: Advanced security audit policy settings
+ href: secpol-advanced-security-audit-policy-settings.md
+ - name: User Rights Assignment
+ href: user-rights-assignment.md
+ items:
+ - name: Access Credential Manager as a trusted caller
+ href: access-credential-manager-as-a-trusted-caller.md
+ - name: Access this computer from the network
+ href: access-this-computer-from-the-network.md
+ - name: Act as part of the operating system
+ href: act-as-part-of-the-operating-system.md
+ - name: Add workstations to domain
+ href: add-workstations-to-domain.md
+ - name: Adjust memory quotas for a process
+ href: adjust-memory-quotas-for-a-process.md
+ - name: Allow log on locally
+ href: allow-log-on-locally.md
+ - name: Allow log on through Remote Desktop Services
+ href: allow-log-on-through-remote-desktop-services.md
+ - name: Back up files and directories
+ href: back-up-files-and-directories.md
+ - name: Bypass traverse checking
+ href: bypass-traverse-checking.md
+ - name: Change the system time
+ href: change-the-system-time.md
+ - name: Change the time zone
+ href: change-the-time-zone.md
+ - name: Create a pagefile
+ href: create-a-pagefile.md
+ - name: Create a token object
+ href: create-a-token-object.md
+ - name: Create global objects
+ href: create-global-objects.md
+ - name: Create permanent shared objects
+ href: create-permanent-shared-objects.md
+ - name: Create symbolic links
+ href: create-symbolic-links.md
+ - name: Debug programs
+ href: debug-programs.md
+ - name: Deny access to this computer from the network
+ href: deny-access-to-this-computer-from-the-network.md
+ - name: Deny log on as a batch job
+ href: deny-log-on-as-a-batch-job.md
+ - name: Deny log on as a service
+ href: deny-log-on-as-a-service.md
+ - name: Deny log on locally
+ href: deny-log-on-locally.md
+ - name: Deny log on through Remote Desktop Services
+ href: deny-log-on-through-remote-desktop-services.md
+ - name: Enable computer and user accounts to be trusted for delegation
+ href: enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+ - name: Force shutdown from a remote system
+ href: force-shutdown-from-a-remote-system.md
+ - name: Generate security audits
+ href: generate-security-audits.md
+ - name: Impersonate a client after authentication
+ href: impersonate-a-client-after-authentication.md
+ - name: Increase a process working set
+ href: increase-a-process-working-set.md
+ - name: Increase scheduling priority
+ href: increase-scheduling-priority.md
+ - name: Load and unload device drivers
+ href: load-and-unload-device-drivers.md
+ - name: Lock pages in memory
+ href: lock-pages-in-memory.md
+ - name: Log on as a batch job
+ href: log-on-as-a-batch-job.md
+ - name: Log on as a service
+ href: log-on-as-a-service.md
+ - name: Manage auditing and security log
+ href: manage-auditing-and-security-log.md
+ - name: Modify an object label
+ href: modify-an-object-label.md
+ - name: Modify firmware environment values
+ href: modify-firmware-environment-values.md
+ - name: Perform volume maintenance tasks
+ href: perform-volume-maintenance-tasks.md
+ - name: Profile single process
+ href: profile-single-process.md
+ - name: Profile system performance
+ href: profile-system-performance.md
+ - name: Remove computer from docking station
+ href: remove-computer-from-docking-station.md
+ - name: Replace a process level token
+ href: replace-a-process-level-token.md
+ - name: Restore files and directories
+ href: restore-files-and-directories.md
+ - name: Shut down the system
+ href: shut-down-the-system.md
+ - name: Synchronize directory service data
+ href: synchronize-directory-service-data.md
+ - name: Take ownership of files or other objects
+ href: take-ownership-of-files-or-other-objects.md
+ - name: Windows security
+ href: /windows/security/
\ No newline at end of file
diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
index 152f6711fe..3cf960a19f 100644
--- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Access Credential Manager as a trusted caller
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index 55c80b17f7..da17209420 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/11/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Access this computer from the network - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index be2c2f115a..5111f06fe9 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 08/16/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Account lockout duration
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index 26ba3362f0..5f8c91006d 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/11/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Account Lockout Policy
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index 955b5f6e6f..fdbdef8e1e 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/02/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Account lockout threshold
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index 42f0509874..d3f03a9e97 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Account Policies
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 983c8abe93..132ecaa9be 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 08/01/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Accounts: Administrator account status
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index 21943761e2..d390220428 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 08/10/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Accounts: Block Microsoft accounts
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
index 1828f74f0d..6f785de269 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Accounts: Guest account status - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index 88adc7aa01..b630cc0ce5 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Accounts: Limit local account use of blank passwords to console logon only
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
index 1bf1c8e328..d865644cf8 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Accounts: Rename administrator account
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
index 5694b75065..7ce4a682bc 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Accounts: Rename guest account - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
index dfd593bde8..4c794419c1 100644
--- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
+++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Act as part of the operating system
diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
index c2cfbb9858..8e6a02b8ef 100644
--- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Add workstations to domain
diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
index 154ecd7c75..c780868505 100644
--- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
+++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Adjust memory quotas for a process
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index fecacdacab..297de36841 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Administer security policy settings
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index 3bb3d64326..62863b9009 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Allow log on locally - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index 044f3c2fe5..1ad9f2883f 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Allow log on through Remote Desktop Services
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index d534cb14e3..f22bcd4c5d 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Audit: Audit the access of global system objects
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index 6c2fec1dee..39535992d7 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/01/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# Audit: Audit the use of Backup and Restore privilege
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 3c64ae947a..cc93c278b5 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md
index 351b357bb8..294edc4242 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Audit Policy
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index 6b2a642f91..dc462f0224 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Audit: Shut down system immediately if unable to log security audits
diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
index 67a1efe7b8..2ecdea12d2 100644
--- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Back up files and directories - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index 34327028f6..239a32f7b1 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Bypass traverse checking
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
index 611c4f29c6..c3d5940ecc 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Change the system time - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
index f9251b7542..ac2ad49a7c 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Change the time zone - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
index eaca0ecfbb..c5a8a0a8e1 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a pagefile - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
index 52fb6a0e53..b506e0c131 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a token object
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index c29a2716ee..fd0acee762 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create global objects
diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
index 33b84b4ddd..a38990fd17 100644
--- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create permanent shared objects
diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
index 70f390d16a..d5d9820efd 100644
--- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
+++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create symbolic links
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 8b5c1ba80d..cfed5fd439 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 46bcee01d5..7142b1773f 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
index ee678fa038..0e70455139 100644
--- a/windows/security/threat-protection/security-policy-settings/debug-programs.md
+++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Debug programs
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index 04844990fd..269c9d78ab 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/19/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Deny access to this computer from the network
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index 33371b5594..3065d91365 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Deny log on as a batch job
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
index e93b14011b..3b48755935 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Deny log on as a service
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
index 16aac6c38f..e3663ffda4 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Deny log on locally
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
index e618426e9d..ea9ba0f63a 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Deny log on through Remote Desktop Services
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
index 1c8ec83ad6..6f6a4ddb5f 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Devices: Allow undock without having to log on
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
index 4a2d451bd1..fccacdc413 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Devices: Allowed to format and eject removable media
diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
index 15e9f97f5d..32a0ca45f2 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Devices: Prevent users from installing printer drivers
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index 14b745deaf..1bc52f9b73 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Devices: Restrict CD-ROM access to locally logged-on user only
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
index 0b64be01ad..2591b45b42 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Devices: Restrict floppy access to locally logged-on user only
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
index 6708f52037..ad7e4030e3 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain controller: Allow server operators to schedule tasks
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
index ba471b4b00..3c4bd32092 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain controller: LDAP server signing requirements
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 31325347d6..d0b2f91db5 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain controller: Refuse machine account password changes
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index 9c02ea6441..c48680bf77 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain member: Digitally encrypt or sign secure channel data (always)
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index cc788fbe2b..f07984917f 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain member: Digitally encrypt secure channel data (when possible)
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
index 5d0ee13652..b75a8767d9 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain member: Digitally sign secure channel data (when possible)
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index 16e25c74bf..8c85b1ecee 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/27/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain member: Disable machine account password changes
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index ff2d29cc14..7a5f2b3e94 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/29/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain member: Maximum machine account password age
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
index 544c028497..24cdd01bd2 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Domain member: Require strong (Windows 2000 or later) session key
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 9dfa07237d..d60d7b9568 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Enable computer and user accounts to be trusted for delegation
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
index 796779c714..e32f558d6c 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Enforce password history
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
index 71615ceabb..c1b6e0c09e 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Enforce user logon restrictions
diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
index e6585a09a3..ed338300e8 100644
--- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
+++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Force shutdown from a remote system
diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
index 40e5ca7ef1..4f81ddbe37 100644
--- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Generate security audits
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 7ad1fc41a6..548dfc7385 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Configure security policy settings
diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
index 7c59f4013c..b7503031b7 100644
--- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Impersonate a client after authentication
diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
index 4473a058bb..f6eda6e23e 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Increase a process working set
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index 8ca263ed4f..e2e776a8be 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 2/6/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Increase scheduling priority
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index ce251bc758..7c5ca6c4a7 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Display user information when the session is locked
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
index dc34342e33..9994a60f7e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
@@ -14,7 +14,7 @@ ms.topic: conceptual
ms.date: 04/19/2017
ms.reviewer:
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Don't display last signed-in
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index e209f6f824..4131998946 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Do not require CTRL+ALT+DEL
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index dc75f23f03..e0431252ef 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Don't display username at sign-in
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
index ea490bea9a..e9a1fea0ae 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Machine account lockout threshold
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index b42c080ea0..737bfddba3 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/18/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Machine inactivity limit
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 554fcc6d63..ec72b350f1 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Message text for users attempting to log on
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index 3f2be2aad0..e5f5ce5eb8 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Message title for users attempting to log on
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 1e1a6c2d56..90773e0b18 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 08/27/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Number of previous logons to cache (in case domain controller is not available)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 0eada407ca..0194532533 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive log on: Prompt the user to change passwords before expiration
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index e08474cde8..88948dcc4f 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Require Domain Controller authentication to unlock workstation
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
index 1235ce1f89..1ef1627762 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Require smart card - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index 822699cbe5..8b8a23f14d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Interactive logon: Smart card removal behavior
diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
index 4dde3dafa0..50e612ee9a 100644
--- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Kerberos Policy
diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
index ece23d6a1b..a0534994d0 100644
--- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Load and unload device drivers
diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
index 9f512271e5..17b2d7d0e6 100644
--- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
+++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Lock pages in memory
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index e4997ab361..4fb931974f 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Log on as a batch job
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
index a170ea805c..dbcb0f1907 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Log on as a service
diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
index 057b9c3219..5da39ee708 100644
--- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
+++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Manage auditing and security log
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
index 4c5b767250..e3ed6c49c4 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Maximum lifetime for service ticket
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index 4298be4ed3..0b5fddd3cd 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Maximum lifetime for user ticket renewal
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
index c9f03e275f..b189dda660 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Maximum lifetime for user ticket
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 18d09c4627..546b7de4f2 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Maximum password age
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
index 98e58336ac..fe607f246f 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Maximum tolerance for computer clock synchronization
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index f2c0e59130..d6c198624a 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -12,7 +12,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.date: 06/28/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 3fca806b68..0cc87e361e 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index df04135ddb..abe6db2b33 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft network server: Amount of idle time required before suspending session
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index bf80e3d066..1ef73b3a59 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft network server: Attempt S4U2Self to obtain claim information
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index aa8327994b..afb7ddfe20 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/21/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft network server: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index c63ba1fa9c..5cf58f4daf 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft network server: Disconnect clients when logon hours expire
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index 934085e4f4..23c36d99fa 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft network server: Server SPN target name validation level
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index a36abdd6f7..960112af64 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -12,7 +12,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.date: 11/13/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Minimum password age
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index c14de4b2fc..7921cdcc37 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Minimum password length
diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
index baa5e9c04b..b320e305b8 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Modify an object label
diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
index 6858bbce7e..8d28849453 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Modify firmware environment values
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index b78e43e706..82be9fa1ec 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Allow anonymous SID/Name translation
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index 23a4d0c815..aa56038e35 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Do not allow anonymous enumeration of SAM accounts and shares
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 3243d8261b..1e144a682f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Do not allow anonymous enumeration of SAM accounts
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index 8cdbdc9908..160dbb22e8 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/01/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Do not allow storage of passwords and credentials for network authentication
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index 816f4d78b1..542bd046ed 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Let Everyone permissions apply to anonymous users
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
index bb01d6c117..78c22e2c43 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Named Pipes that can be accessed anonymously
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index 078753c170..1f5a821007 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Remotely accessible registry paths and subpaths
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index ab9370f9dd..fe4a3d425e 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Remotely accessible registry paths
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 9fea7c3077..57dc9bbbb8 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Restrict anonymous access to Named Pipes and Shares
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 66c3926643..e6ec3878c7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -11,7 +11,7 @@ ms.date: 09/17/2018
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Restrict clients allowed to make remote calls to SAM
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
index 125d609e61..0e8c62d1a3 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Shares that can be accessed anonymously
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index 359010211d..f4a400c044 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network access: Sharing and security model for local accounts
diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
index 69ecb0c119..619b009548 100644
--- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network List Manager policies
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index 40a53c2736..261dd0a213 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -1,5 +1,5 @@
---
-title: Network security Allow Local System to use computer identity for NTLM (Windows 10)
+title: "Network security: Allow Local System to use computer identity for NTLM (Windows 10)"
description: Location, values, policy management, and security considerations for the policy setting, Network security Allow Local System to use computer identity for NTLM.
ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053
ms.reviewer:
@@ -14,8 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 10/04/2021
+ms.technology: windows-sec
---
# Network security: Allow Local System to use computer identity for NTLM
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
index 3f67d9dfbf..401a588948 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Allow LocalSystem NULL session fallback
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 671eb87720..7b4fd7fe4b 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Allow PKU2U authentication requests to this computer to use online identities
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index d6813adc8f..034a2762ea 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Configure encryption types allowed for Kerberos
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 23140d7b81..ebf155ba56 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Do not store LAN Manager hash value on next password change
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index d82ba2d356..daab389419 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Force logoff when logon hours expire
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index 90ab68bf7a..fcd510671f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: LAN Manager authentication level
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index deb400f637..006e925460 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: LDAP client signing requirements
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index 7da3832813..1ab941f6ae 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/27/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index fd5bcf7731..d606dc935b 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 4f61542115..bf5804a540 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index ad33075c6d..5fb535995e 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Restrict NTLM: Add server exceptions in this domain
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index 466fe77336..47b963ab2a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Restrict NTLM: Audit incoming NTLM traffic
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index 595f2d660a..bdbf0e528d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Restrict NTLM: Audit NTLM authentication in this domain
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 1c4ca789c3..cbcc2e7d66 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Restrict NTLM: Incoming NTLM traffic
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index 947f4ab587..ccaba0be7d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Restrict NTLM: NTLM authentication in this domain
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 1a547615d6..f53a1e1665 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 1a74bf2b3a..7928508380 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
# Password must meet complexity requirements
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index 697b00c255..11d69785c6 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Password Policy
diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
index 44ce6c881a..514e1a9ea7 100644
--- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Perform volume maintenance tasks
diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
index fc3af3e372..599cb50810 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Profile single process
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index 37a46be943..47f372d723 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Profile system performance
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index 8d560cc318..c188b74c08 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Recovery console: Allow automatic administrative logon
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index 2d90c0a80f..c06d6f180c 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Recovery console: Allow floppy copy and access to all drives and folders
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index 099396d96b..4508560bdc 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Remove computer from docking station - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index 497b00f4d5..dd1696b067 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Replace a process level token
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index b58d2f93b4..87951d31f4 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/02/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Reset account lockout counter after
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index 56932252a4..08c30303cf 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Restore files and directories - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index 58e86eb700..fe3ba96d3f 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Advanced security audit policy settings
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index b31d7a38cd..f7a90a01c0 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -12,7 +12,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.date: 06/28/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Security Options
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
index 690b97fddb..a1d965558b 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Security policy settings reference
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 7a58b942a4..a0a8270da7 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Security policy settings
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index 1b5d5a161d..57374f2aa8 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Shut down the system - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index 5f9aec2590..f80dd3b8cf 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Shutdown: Allow system to be shut down without having to log on
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index b556412de2..4cada523db 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 08/01/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Shutdown: Clear virtual memory pagefile
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
index 996a278b07..204a5206ba 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/04/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# SMBv1 Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index 6b4331de2f..9ef171ea55 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/04/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# SMBv1 Microsoft network client: Digitally sign communications (if server agrees)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
index 0c427716aa..ffedfe0697 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/04/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# SMB v1 Microsoft network server: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index 032bb6d057..48bbab1f2f 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/04/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# SMBv1 Microsoft network server: Digitally sign communications (if client agrees)
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index fa3693209f..ea2f55d403 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Store passwords using reversible encryption
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index 04d2c905ec..88f07c4037 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Synchronize directory service data
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index 0ab38e9139..d5dd1f683e 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# System cryptography: Force strong key protection for user keys stored on the computer
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 67de664cfc..e98291ef6b 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/16/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index 7d3fdb17cd..3a9ceb4840 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# System objects: Require case insensitivity for non-Windows subsystems
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index 731ff816b1..abd9724c03 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index 05dc5f7a16..a271d9f87f 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# System settings: Optional subsystems
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 85d1c3a9c8..9791d8a12d 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# System settings: Use certificate rules on Windows executables for Software Restriction Policies
diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
index 45985b786a..c4781f258c 100644
--- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Take ownership of files or other objects
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index d7900e363c..16e00a82f8 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Admin Approval Mode for the Built-in Administrator account
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index 09f6411652..8526a457ae 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index 716ff6ad2d..e653550846 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index de0490479f..48f2dfa8c7 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -14,8 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 10/11/2021
+ms.technology: windows-sec
---
# User Account Control: Behavior of the elevation prompt for standard users
@@ -46,7 +46,7 @@ This policy setting determines the behavior of the elevation prompt for standard
### Best practices
1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege.
-2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account.
+2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials on the secure desktop** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account.
### Location
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index be33709e17..431ac04a15 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Detect application installations and prompt for elevation
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index 62665872ff..242580312c 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Only elevate executables that are signed and validated
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index 06e3831a67..76a8bc97a2 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Only elevate UIAccess applications that are installed in secure locations
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index da3fbca962..6760e38f5a 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Run all administrators in Admin Approval Mode
@@ -40,8 +40,8 @@ This policy setting determines the behavior of all User Account Control (UAC) po
Admin Approval Mode and all related UAC policies are disabled.
> [!NOTE]
- > If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
-
+ > If this security setting is configured to **Disabled**, Windows Security app notifies the user that the overall security of the operating system has been reduced.
+
### Best practices
- Turn on this policy to allow all other UAC features and policies to function.
@@ -52,7 +52,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
### Default values
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 6b34c92be1..5eb4fbd4e9 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Switch to the secure desktop when prompting for elevation
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index e8bf2f6497..dda6b18a18 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Account Control: Virtualize file and registry write failures to per-user locations
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 5efa422cb9..6760680ea6 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# User Rights Assignment
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index a8362c5bda..fc9376dadb 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -12,7 +12,7 @@ ms.pagetype: security
author: dulcemontemayor
ms.date: 02/28/2019
ms.localizationpriority: medium
-ms.technology: mde
+ms.technology: windows-sec
---
# Use Windows Event Forwarding to help with intrusion detection
diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index 11b4c1a58b..264a762b9c 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -13,7 +13,7 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: dulcemontemayor
ms.date: 10/13/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows 10 Mobile security guide
@@ -120,7 +120,7 @@ In many cases, most apps don’t require enlightenment for them to use Windows I
To configure Windows Information Protection in a Mobile Device Management (MDM) solution that supports it, simply add authorized apps to the allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, unauthorized apps will not have access to enterprise data.
-Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Window Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data.
+Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Windows Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data.
The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set:
- **Block.** Windows Information Protection blocks users from completing the operation.
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 9c23deaecd..bea57dd3c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 10/30/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices
@@ -26,7 +26,7 @@ ms.technology: mde
- Windows 11
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows in S mode devices.
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 2a9d13497a..024e87e042 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -1,5 +1,8 @@
- name: Application Control for Windows
+ href: index.yml
+- name: About application control for Windows
href: windows-defender-application-control.md
+ expanded: true
items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
@@ -105,6 +108,8 @@
href: querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues
href: operations/known-issues.md
+ - name: Managed installer and ISG technical reference and troubleshooting guide
+ href: configure-wdac-managed-installer.md
- name: AppLocker
href: applocker\applocker-overview.md
items:
@@ -292,3 +297,6 @@
href: applocker\using-event-viewer-with-applocker.md
- name: AppLocker Settings
href: applocker\applocker-settings.md
+- name: Windows security
+ href: /windows/security/
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 107430388b..9e1b49b4c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -14,7 +14,7 @@ author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Allow COM object registration in a Windows Defender Application Control policy
@@ -23,21 +23,22 @@ ms.technology: mde
- Windows 10
- Windows 11
-- Windows Server 2016 and above
+- Windows Server 2016 and later
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
-
->[!IMPORTANT]
->Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects.
+> [!IMPORTANT]
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
### COM object configurability in WDAC policy
-Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
-**NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates:
+> [!NOTE]
+> To add this functionality to other versions of Windows 10, you can install the following or later updates.
- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
- Windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://support.microsoft.com/help/4503288/windows-10-update-kb4503288)
@@ -48,19 +49,24 @@ Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC)
### Get COM object GUID
Get GUID of application to allow in one of the following ways:
-- Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID
-- Creating audit policy (using New-CIPolicy –Audit), potentially with specific provider, and use info from block events to get GUID
+- Finding a block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script), and extracting GUID
+- Creating an audit policy (using New-CIPolicy –Audit), potentially with a specific provider, and use the info from the block events to get the GUID
### Author policy setting to allow or deny COM object GUID
Three elements:
+
- Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”)
-- Key: GUID for the program you with to run, in the format Key="{33333333-4444-4444-1616-161616161616}"
+- Key: GUID for the program you wish to run, in the format Key="{33333333-4444-4444-1616-161616161616}"
- ValueName: needs to be set to "EnterpriseDefinedClsId"
One attribute:
+
- Value: needs to be “true” for allow and “false” for deny
- - Note that deny only works in base policies, not supplemental
+
+ > [!NOTE]
+ > Deny only works in base policies, not supplemental policies
+
- The setting needs to be placed in the order of ASCII values (first by Provider, then Key, then ValueName)
### Examples
@@ -96,19 +102,18 @@ Example 3: Allows a specific COM object to register in PowerShell
```
### How to configure settings for the CLSIDs
-Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
+Here's an example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
-Log Name: Microsoft-Windows-AppLocker/MSI and Script
-Source: Microsoft-Windows-AppLocker
-Date: 11/11/2020 1:18:11 PM
-Event ID: 8036
-Task Category: None
-Level: Error
-Keywords:
-User: S-1-5-21-3340858017-3068726007-3466559902-3647
-Computer: contoso.com
-Description:
-{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
+> Log Name: Microsoft-Windows-AppLocker/MSI and Script
+> Source: Microsoft-Windows-AppLocker
+> Date: 11/11/2020 1:18:11 PM
+> Event ID: 8036
+> Task Category: None
+> Level: Error
+> Keywords:
+> User: S-1-5-21-3340858017-3068726007-3466559902-3647
+> Computer: contoso.com
+> Description: {f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Event XML:
@@ -122,7 +127,7 @@ Event XML:
000x4000000000000000
-
+ 819347
@@ -137,22 +142,23 @@ Event XML:
```
-To add this CLSID to the existing policy, use the following steps:
+To add this CLSID to the existing policy, follow these steps:
1. Open PowerShell ISE with Administrative privileges.
+
2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`.
-```PowerShell
-PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
-```
-
-Once the command has been run, you will find that the following section is added to the policy XML.
-
-```XML
-
-
-
- true
-
-
-```
\ No newline at end of file
+ ```PowerShell
+ PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" -Provider WSH -Value true -ValueName EnterpriseDefinedClsId -ValueType Boolean
+ ```
+
+ Once the command has been run, you will find that the following section is added to the policy XML.
+
+ ```XML
+
+
+
+ true
+
+
+ ```
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml
deleted file mode 100644
index b796c0e95e..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml
+++ /dev/null
@@ -1,186 +0,0 @@
-- name: AppLocker
- href: applocker-overview.md
- items:
- - name: Administer AppLocker
- href: administer-applocker.md
- items:
- - name: Maintain AppLocker policies
- href: maintain-applocker-policies.md
- - name: Edit an AppLocker policy
- href: edit-an-applocker-policy.md
- - name: Test and update an AppLocker policy
- href: test-and-update-an-applocker-policy.md
- - name: Deploy AppLocker policies by using the enforce rules setting
- href: deploy-applocker-policies-by-using-the-enforce-rules-setting.md
- - name: Use the AppLocker Windows PowerShell cmdlets
- href: use-the-applocker-windows-powershell-cmdlets.md
- - name: Use AppLocker and Software Restriction Policies in the same domain
- href: use-applocker-and-software-restriction-policies-in-the-same-domain.md
- - name: Optimize AppLocker performance
- href: optimize-applocker-performance.md
- - name: Monitor app usage with AppLocker
- href: monitor-application-usage-with-applocker.md
- - name: Manage packaged apps with AppLocker
- href: manage-packaged-apps-with-applocker.md
- - name: Working with AppLocker rules
- href: working-with-applocker-rules.md
- items:
- - name: Create a rule that uses a file hash condition
- href: create-a-rule-that-uses-a-file-hash-condition.md
- - name: Create a rule that uses a path condition
- href: create-a-rule-that-uses-a-path-condition.md
- - name: Create a rule that uses a publisher condition
- href: create-a-rule-that-uses-a-publisher-condition.md
- - name: Create AppLocker default rules
- href: create-applocker-default-rules.md
- - name: Add exceptions for an AppLocker rule
- href: configure-exceptions-for-an-applocker-rule.md
- - name: Create a rule for packaged apps
- href: create-a-rule-for-packaged-apps.md
- - name: Delete an AppLocker rule
- href: delete-an-applocker-rule.md
- - name: Edit AppLocker rules
- href: edit-applocker-rules.md
- - name: Enable the DLL rule collection
- href: enable-the-dll-rule-collection.md
- - name: Enforce AppLocker rules
- href: enforce-applocker-rules.md
- - name: Run the Automatically Generate Rules wizard
- href: run-the-automatically-generate-rules-wizard.md
- - name: Working with AppLocker policies
- href: working-with-applocker-policies.md
- items:
- - name: Configure the Application Identity service
- href: configure-the-application-identity-service.md
- - name: Configure an AppLocker policy for audit only
- href: configure-an-applocker-policy-for-audit-only.md
- - name: Configure an AppLocker policy for enforce rules
- href: configure-an-applocker-policy-for-enforce-rules.md
- - name: Display a custom URL message when users try to run a blocked app
- href: display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
- - name: Export an AppLocker policy from a GPO
- href: export-an-applocker-policy-from-a-gpo.md
- - name: Export an AppLocker policy to an XML file
- href: export-an-applocker-policy-to-an-xml-file.md
- - name: Import an AppLocker policy from another computer
- href: import-an-applocker-policy-from-another-computer.md
- - name: Import an AppLocker policy into a GPO
- href: import-an-applocker-policy-into-a-gpo.md
- - name: Add rules for packaged apps to existing AppLocker rule-set
- href: add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
- - name: Merge AppLocker policies by using Set-ApplockerPolicy
- href: merge-applocker-policies-by-using-set-applockerpolicy.md
- - name: Merge AppLocker policies manually
- href: merge-applocker-policies-manually.md
- - name: Refresh an AppLocker policy
- href: refresh-an-applocker-policy.md
- - name: Test an AppLocker policy by using Test-AppLockerPolicy
- href: test-an-applocker-policy-by-using-test-applockerpolicy.md
- - name: AppLocker design guide
- href: applocker-policies-design-guide.md
- items:
- - name: Understand AppLocker policy design decisions
- href: understand-applocker-policy-design-decisions.md
- - name: Determine your application control objectives
- href: determine-your-application-control-objectives.md
- - name: Create a list of apps deployed to each business group
- href: create-list-of-applications-deployed-to-each-business-group.md
- items:
- - name: Document your app list
- href: document-your-application-list.md
- - name: Select the types of rules to create
- href: select-types-of-rules-to-create.md
- items:
- - name: Document your AppLocker rules
- href: document-your-applocker-rules.md
- - name: Determine the Group Policy structure and rule enforcement
- href: determine-group-policy-structure-and-rule-enforcement.md
- items:
- - name: Understand AppLocker enforcement settings
- href: understand-applocker-enforcement-settings.md
- - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
- href: understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
- - name: Document the Group Policy structure and AppLocker rule enforcement
- href: document-group-policy-structure-and-applocker-rule-enforcement.md
- - name: Plan for AppLocker policy management
- href: plan-for-applocker-policy-management.md
- - name: AppLocker deployment guide
- href: applocker-policies-deployment-guide.md
- items:
- - name: Understand the AppLocker policy deployment process
- href: understand-the-applocker-policy-deployment-process.md
- - name: Requirements for Deploying AppLocker Policies
- href: requirements-for-deploying-applocker-policies.md
- - name: Use Software Restriction Policies and AppLocker policies
- href: using-software-restriction-policies-and-applocker-policies.md
- - name: Create Your AppLocker policies
- href: create-your-applocker-policies.md
- items:
- - name: Create Your AppLocker rules
- href: create-your-applocker-rules.md
- - name: Deploy the AppLocker policy into production
- href: deploy-the-applocker-policy-into-production.md
- items:
- - name: Use a reference device to create and maintain AppLocker policies
- href: use-a-reference-computer-to-create-and-maintain-applocker-policies.md
- - name: Determine which apps are digitally signed on a reference device
- href: determine-which-applications-are-digitally-signed-on-a-reference-computer.md
- - name: Configure the AppLocker reference device
- href: configure-the-appLocker-reference-device.md
- - name: AppLocker technical reference
- href: applocker-technical-reference.md
- items:
- - name: What Is AppLocker?
- href: what-is-applocker.md
- - name: Requirements to use AppLocker
- href: requirements-to-use-applocker.md
- - name: AppLocker policy use scenarios
- href: applocker-policy-use-scenarios.md
- - name: How AppLocker works
- href: how-applocker-works-techref.md
- items:
- - name: Understanding AppLocker rule behavior
- href: understanding-applocker-rule-behavior.md
- - name: Understanding AppLocker rule exceptions
- href: understanding-applocker-rule-exceptions.md
- - name: Understanding AppLocker rule collections
- href: understanding-applocker-rule-collections.md
- - name: Understanding AppLocker allow and deny actions on rules
- href: understanding-applocker-allow-and-deny-actions-on-rules.md
- - name: Understanding AppLocker rule condition types
- href: understanding-applocker-rule-condition-types.md
- items:
- - name: Understanding the publisher rule condition in AppLocker
- href: understanding-the-publisher-rule-condition-in-applocker.md
- - name: Understanding the path rule condition in AppLocker
- href: understanding-the-path-rule-condition-in-applocker.md
- - name: Understanding the file hash rule condition in AppLocker
- href: understanding-the-file-hash-rule-condition-in-applocker.md
- - name: Understanding AppLocker default rules
- href: understanding-applocker-default-rules.md
- items:
- - name: Executable rules in AppLocker
- href: executable-rules-in-applocker.md
- - name: Windows Installer rules in AppLocker
- href: windows-installer-rules-in-applocker.md
- - name: Script rules in AppLocker
- href: script-rules-in-applocker.md
- - name: DLL rules in AppLocker
- href: dll-rules-in-applocker.md
- - name: Packaged apps and packaged app installer rules in AppLocker
- href: packaged-apps-and-packaged-app-installer-rules-in-applocker.md
- - name: AppLocker architecture and components
- href: applocker-architecture-and-components.md
- - name: AppLocker processes and interactions
- href: applocker-processes-and-interactions.md
- - name: AppLocker functions
- href: applocker-functions.md
- - name: Security considerations for AppLocker
- href: security-considerations-for-applocker.md
- - name: Tools to Use with AppLocker
- href: tools-to-use-with-applocker.md
- items:
- - name: Using Event Viewer with AppLocker
- href: using-event-viewer-with-applocker.md
- - name: AppLocker Settings
- href: applocker-settings.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index 9036f3e4c1..d3d7b17207 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Add rules for packaged apps to existing AppLocker rule-set
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
index 7f2698f4c6..3c1120b48b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# Administer AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
index 44cb55c39e..206a7b287c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# AppLocker architecture and components
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professional describes AppLocker’s basic architecture and its major components.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
index c6b0e3ecf4..aa517a5505 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# AppLocker functions
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 93a162dc9a..af1cdbd2d8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/16/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index 86a8829b86..8b61cc5f7c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index a7d286ac77..5175d57766 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# AppLocker design guide
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
index 9afaf76dd4..32d003ef09 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# AppLocker policy use scenarios
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
index 72c593b20b..8460667499 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# AppLocker processes and interactions
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
index e6ffbc2ba9..85ecf639ea 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# AppLocker settings
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional lists the settings used by AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
index 49e952d360..7dc333ae22 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# AppLocker technical reference
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This overview topic for IT professionals provides links to the topics in the technical reference.
AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index 44e68d79c2..8dbd16c51c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/08/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Configure an AppLocker policy for audit only
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
index e59657993f..4ae757fa97 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Configure an AppLocker policy for enforce rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
index a018cafadb..1eba7b9033 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Add exceptions for an AppLocker rule
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
index e836660931..0675c5fa73 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Configure the AppLocker reference device
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index 0501a133b2..4db27c8710 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/01/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Configure the Application Identity service
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index eecd667d2b..f983e81eba 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a rule for packaged apps
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index 141694e9b1..0f78585339 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a rule that uses a file hash condition
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
index 3efd61d7e9..f935341e92 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a rule that uses a path condition
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals shows how to create an AppLocker rule with a path condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
index 8554f3c9f2..60623baeae 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a rule that uses a publisher condition
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
index 1b41d7d17d..d130fe7233 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create AppLocker default rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
index 61d80caa45..7daf4320eb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a list of apps deployed to each business group
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
index a4dd6d3cbb..961dd4e3ff 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create Your AppLocker policies
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
index 49afa8e599..cdda7822da 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Create Your AppLocker rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index d99290ca20..e5b26ce22e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/09/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Delete an AppLocker rule
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article for IT professionals describes the steps to delete an AppLocker rule.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 4eacf25176..76c4ee127a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Deploy AppLocker policies by using the enforce rules setting
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
index 1cef053c49..3c3692819b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Deploy the AppLocker policy into production
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 4e97c71abe..2d9fdbe7c2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Determine the Group Policy structure and rule enforcement
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index cd61c3ae04..656ab2805e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Determine which apps are digitally signed on a reference device
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index 90e037220c..e4bdbbc2b7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Determine your application control objectives
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index 0337e87f46..596ca4a50f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Display a custom URL message when users try to run a blocked app
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index f547e9a47c..5c09c86d2e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# DLL rules in AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes the file formats and available default rules for the DLL rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 94b76c08b1..252fb96ede 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -15,7 +15,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.pagetype: security
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Document the Group Policy structure and AppLocker rule enforcement
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index abace52005..33ffa59ce9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Document your app list
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index 61e0ea6cd7..2db8ca7042 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Document your AppLocker rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index d9503e8a00..811e3ab499 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Edit an AppLocker policy
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps required to modify an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
index ae57316f95..742bb76aa9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Edit AppLocker rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
index a7127c01e3..81877d328c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Enable the DLL rule collection
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
index d5af5704b4..67fa92f12c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Enforce AppLocker rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes how to enforce application control rules by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
index 4a08f289bb..b8a51feeed 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Executable rules in AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes the file formats and available default rules for the executable rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
index 6a31ee8659..aa08b6fce3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Export an AppLocker policy from a GPO
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
index b31a06093c..25c099d3c3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Export an AppLocker policy to an XML file
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
index a69c492e7b..bcccdec697 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# How AppLocker works
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
index ee2571025c..eec6f18251 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Import an AppLocker policy from another computer
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes how to import an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
index a1f2c8e829..9853f4b41f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Import an AppLocker policy into a GPO
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 495e5578cb..04db4a506d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
# Maintain AppLocker policies
@@ -26,7 +26,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes how to maintain rules within AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
index 963ec6547b..6c12bd897b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Manage packaged apps with AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
index 1034d8e194..7737b4399b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Merge AppLocker policies by using Set-ApplockerPolicy
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
index c6beb49771..4063ae1e66 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Merge AppLocker policies manually
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
index 15bd4e6197..a19c80618b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Monitor app usage with AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
index 15357f0a4c..e1bfa2e4a6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Optimize AppLocker performance
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes how to optimize AppLocker policy enforcement.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index 7cd27ec5a6..c79be76e77 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/13/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Packaged apps and packaged app installer rules in AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 5a2aab5ef9..b114297f17 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Plan for AppLocker policy management
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index c306fa8809..e4d36fb82e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Refresh an AppLocker policy
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to force an update for an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 3d09d68ef3..85f6eb11a3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Requirements for deploying AppLocker policies
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 63b249672d..023753c944 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Requirements to use AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
index 4c9ff4b21a..b45234c1a0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Run the Automatically Generate Rules wizard
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 4b4ca99f66..48095da0ce 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Script rules in AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes the file formats and available default rules for the script rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
index 006efd19a1..3b58e12ab7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Security considerations for AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
index 9dedd807d1..0e46c32873 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Select the types of rules to create
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
index ca0dc2f8e4..af4f2f86cc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Test an AppLocker policy by using Test-AppLockerPolicy
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index 3a42a9d7aa..e94dd7e02a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Test and update an AppLocker policy
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic discusses the steps required to test an AppLocker policy prior to deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
index 19eb7cd1d3..25bb78c4e1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Tools to use with AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes the tools available to create and administer AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
index 7058ee0c64..9b7c321d4e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understand AppLocker enforcement settings
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes the AppLocker enforcement settings for rule collections.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index ccdfd461a6..2d5fca2ebb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/13/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understand AppLocker policy design decisions
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index 5803246cf1..e7a565430e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understand AppLocker rules and enforcement setting inheritance in Group Policy
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index 23383522f6..b0c0834967 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understand the AppLocker policy deployment process
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
index 319498a599..3fe3cbccdc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding AppLocker allow and deny actions on rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic explains the differences between allow and deny actions on AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
index 7a33f4dde5..8c640a6c94 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding AppLocker default rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
index 92f40c3d8c..92bd84efc4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding AppLocker rule behavior
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
index e8cf87080b..23dd648c32 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding AppLocker rule collections
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
index 80ce31b642..b56ba6c88d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding AppLocker rule condition types
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes the three types of AppLocker rule conditions.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
index c4cf8ac3ea..295497d103 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding AppLocker rule exceptions
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes the result of applying AppLocker rule exceptions to rule collections.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
index 1bb2c999af..2a8b980f8f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding the file hash rule condition in AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index e8856ed8ee..0eb3e887ba 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding the path rule condition in AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index 8dade37801..86cc3ed874 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding the publisher rule condition in AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index a283a7ab4f..e054f32aa9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -15,7 +15,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Use a reference device to create and maintain AppLocker policies
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 6dcd91c001..a22f94b741 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Use AppLocker and Software Restriction Policies in the same domain
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index ce28a56e21..636ea5f18b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Use the AppLocker Windows PowerShell cmdlets
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index 3015885de1..aa10905181 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Using Event Viewer with AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
index 79b2485918..47f5faeacd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Use Software Restriction Policies and AppLocker policies
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index b65a70c0fe..3629a929f5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# What Is AppLocker?
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index 0975dd70c7..fcc0f3b253 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Installer rules in AppLocker
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes the file formats and available default rules for the Windows Installer rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
index e4c6caae70..211cdb2e62 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -15,7 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.technology: mde
+ms.technology: windows-sec
---
# Working with AppLocker policies
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
index 74ce2ea9d8..4379162473 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -13,7 +13,7 @@ author: dansimp
ms.localizationpriority: medium
msauthor: v-anbic
ms.date: 08/27/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Working with AppLocker rules
@@ -25,7 +25,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index 671bd29bf1..7f1870c0b6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -15,7 +15,7 @@ ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index 706f2e6d6a..37b1dd7a2a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -15,7 +15,7 @@ ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Use audit events to create WDAC policy rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 8b898dfcb6..68dee402b4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -1,6 +1,6 @@
---
-title: Configure authorized apps deployed with a WDAC-managed installer (Windows)
-description: Explains about how to configure a custom Manged Installer.
+title: Allow apps deployed with a WDAC managed installer (Windows)
+description: Explains how to configure a custom Managed Installer.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -11,44 +11,41 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 08/10/2021
-ms.technology: mde
+ms.date: 10/19/2021
+ms.technology: windows-sec
---
-# Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
+# Automatically allow apps deployed by a managed installer with Windows Defender Application Control
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2019 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows 10 (version 1703) introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
## How does a managed installer work?
-A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these trusted binaries runs, Windows will monitor the binary's process (and processes it launches), and then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
+Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they are tagged as originating from a managed installer.
-Having defined your managed installers by using AppLocker, you can then configure WDAC to trust files that are installed by a managed installer. You do so by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
-
-Ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer.
+You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin.
## Security considerations with managed installer
-Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do.
-It's best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
+Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
-Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. Extension of the installer's authorization could result in unintentional authorization of an executable. To avoid that outcome, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation.
+Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation.
## Known limitations with managed installer
@@ -60,162 +57,138 @@ Some application installers may automatically run the application at the end of
- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run.
-## Configuring the managed installer
+## Configure managed installer tracking with AppLocker and WDAC
-Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy, with specific rules and options enabled.
-There are three primary steps to keep in mind:
+To turn on managed installer tracking, you must:
-- Specify managed installers, by using the Managed Installer rule collection in AppLocker policy.
-- Enable service enforcement in AppLocker policy.
-- Enable the managed installer option in a WDAC policy.
+- Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs.
+- Enable AppLocker's Application Identity and AppLockerFltr services.
-## Specify managed installers using the Managed Installer rule collection in AppLocker policy
+### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs
-The identity of the managed installer executable(s) is specified in an AppLocker policy, in a Managed Installer rule collection.
+Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection.
+> [!NOTE]
+> Only EXE file types can be designated as managed installers.
-### Create Managed Installer rule collection
-
-Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
-
-1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
+1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. This example creates a rule for Microsoft's Intune Management Extension using the Publisher rule type, but any AppLocker rule type can be used. You may need to reformat the output for readability.
```powershell
- Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
+ Get-ChildItem ${env:ProgramFiles(x86)}'\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
```
-2. Manually rename the rule collection to ManagedInstaller
+2. Manually change the rule collection Type from "Exe" to "ManagedInstaller" and set EnforcementMode to "AuditOnly"
- Change
+ Change:
- ```powershell
+ ```XML
```
- to
+ to:
- ```powershell
+ ```XML
```
-An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+3. Manually edit your AppLocker policy and add the EXE and DLL rule collections with at least one rule for each. To ensure your policy can be safely applied on systems that may already have an active AppLocker policy, we recommend using a benign DENY rule to block a fake binary and set the rule collection's EnforcementMode to AuditOnly. Additionally, since many installation processes rely on services, you need to enable services tracking for each of those rule collections. The following example shows a partial AppLocker policy with the EXE and DLL rule collection configured as recommended.
+
+ ```xml
+
+
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-### Enable service enforcement in AppLocker policy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
-Since many installation processes rely on services, it is typically necessary to enable tracking of services.
-Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit-only rule will suffice. The audit rule can be added to the policy created above, which specifies the rule collection of your managed installer.
+4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Microsoft Endpoint Config Manager (MEMCM)and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place.
-For example:
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
+5. Deploy your AppLocker managed installer configuration policy. You can either import your AppLocker policy and deploy with Group Policy or use a script to deploy the policy with the Set-AppLockerPolicy cmdlet as shown in the following PowerShell command.
+
+ ```powershell
+ Set-AppLockerPolicy -XmlPolicy -Merge -ErrorAction SilentlyContinue
+ ```
+
+6. If deploying your AppLocker policy via script, use appidtel.exe to configure the AppLocker Application Identity service and AppLocker filter driver.
+
+ ```console
+ appidtel.exe start [-mionly]
+ ```
+
+ Specify "-mionly" if you don't plan to use the Intelligent Security Graph (ISG).
+
+> [!NOTE]
+> Managed installer tracking will start the next time a process runs that matches your managed installer rules. If an intended process is already running, you must restart it.
## Enable the managed installer option in WDAC policy
@@ -234,75 +207,17 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables
Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID
```
-3. Set Option 13 (Enabled:Managed Installer)
+3. Set Option 13 (Enabled:Managed Installer).
```powershell
Set-RuleOption -FilePath -Option 13
```
-## Set the AppLocker filter driver to autostart
+4. Deploy your WDAC policy. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
-To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it.
+> [!NOTE]
+> Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer.
-To do so, run the following command as an Administrator:
+## Related articles
-```console
-appidtel.exe start [-mionly]
-```
-
-Specify "-mionly" if you will not use the Intelligent Security Graph (ISG).
-
-## Using fsutil to query SmartLocker EA
-Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events.
-
-#### Example:
-```powershell
-fsutil file queryEA C:\Users\Temp\Downloads\application.exe
-
-Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
-
-Ea Buffer Offset: 410
-Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
-Ea Value Length: 7e
-0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
-0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
-0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
-0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
-0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
-0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
-0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
-0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
-```
-
-## Enabling managed installer logging events
-
-Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
-
-## Deploying the Managed Installer rule collection
-
-Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it.
-
-1. Use the following command to deploy the policy.
- ```powershell
- $policyFile=
- @"
- Raw_AppLocker_Policy_XML
- "@
- Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
- ```
-
-2. Verify Deployment of the ruleset was successful
- ```powershell
- Get-AppLockerPolicy -Local
-
- Version RuleCollections RuleCollectionTypes
- ------- --------------- -------------------
- 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...}
- ```
- Verify the output shows the ManagedInstaller rule set.
-
-3. Get the policy XML (optional) using PowerShell:
- ```powershell
- Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue
- ```
- This command will show the raw XML to verify the individual rules that were set.
\ No newline at end of file
+- [Managed installer and ISG technical reference and troubleshooting guide](configure-wdac-managed-installer.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index a6fe5ce62e..d0179f7f5e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -1,5 +1,5 @@
---
-title: Configure a WDAC managed installer (Windows)
+title: Managed installer and ISG technical reference and troubleshooting guide (Windows)
description: Explains how to configure a custom Manged Installer.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -15,151 +15,78 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 08/14/2020
-ms.technology: mde
+ms.technology: windows-sec
---
-# Configuring a managed installer with AppLocker and Windows Defender Application Control
+# Managed installer and ISG technical reference and troubleshooting guide
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2019 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
-Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
-There are three primary steps to keep in mind:
+## Using fsutil to query SmartLocker EA
-- Specify managed installers by using the Managed Installer rule collection in AppLocker policy.
-- Enable service enforcement in AppLocker policy.
-- Enable the managed installer option in a WDAC policy.
+Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events.
-## Specify managed installers using the Managed Installer rule collection in AppLocker policy
+**Example:**
-The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection.
+```powershell
+fsutil file queryEA C:\Users\Temp\Downloads\application.exe
-### Create Managed Installer rule collection
+Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
-Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
-
-1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
-
- ```powershell
- Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
- ```
-
-2. Manually rename the rule collection to ManagedInstaller
-
- Change
-
- ```powershell
-
- ```
-
- to
-
- ```powershell
-
- ```
-
-An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+Ea Buffer Offset: 410
+Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
+Ea Value Length: 7e
+0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
+0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
+0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
+0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
+0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
+0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
+0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
+0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
```
-### Enable service enforcement in AppLocker policy
-
-Since many installation processes rely on services, it is typically necessary to enable tracking of services.
-Correct tracking of services requires the presence of at least one rule in the rule collection, so a simple audit only rule will suffice. This can be added to the policy created above which specifies your managed installer rule collection.
-
-For example:
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Enable the managed installer option in WDAC policy
-
-In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy.
-This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13.
-
-Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option.
-
-1. Copy the DefaultWindows_Audit policy into your working folder from C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml
-
-2. Reset the policy ID to ensure it is in multiple policy format and give it a different GUID from the example policies. Also give it a friendly name to help with identification.
-
- Ex.
-
- ```powershell
- Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID
- ```
-
-3. Set Option 13 (Enabled:Managed Installer)
-
- ```powershell
- Set-RuleOption -FilePath -Option 13
- ```
-
-## Set the AppLocker filter driver to autostart
-
-To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it.
-
-To do so, run the following command as an Administrator:
-
-```console
-appidtel.exe start [-mionly]
-```
-
-Specify `-mionly` if you will not use the Intelligent Security Graph (ISG).
-
## Enabling managed installer logging events
-Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
\ No newline at end of file
+Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
+
+## Deploying the Managed Installer rule collection
+
+Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it.
+
+1. Use the following command to deploy the policy.
+
+ ```powershell
+ $policyFile=
+ @"
+ Raw_AppLocker_Policy_XML
+ "@
+ Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
+ ```
+
+2. Verify Deployment of the ruleset was successful
+
+ ```powershell
+ Get-AppLockerPolicy -Local
+
+ Version RuleCollections RuleCollectionTypes
+ ------- --------------- -------------------
+ 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...}
+ ```
+
+ Verify the output shows the ManagedInstaller rule set.
+
+3. Get the policy XML (optional) using PowerShell:
+
+ ```powershell
+ Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue
+ ```
+
+ This command will show the raw XML to verify the individual rules that were set.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index 761ea31822..26a241db0e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Optional: Create a code signing cert for Windows Defender Application Control
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index 40ab4ad3bd..72b3039271 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a WDAC policy for fixed-workload devices using a reference computer
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 0037968837..f088c8d7f9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -16,7 +16,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 11/20/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a WDAC policy for fully managed devices
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This section outlines the process to create a WDAC policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 76199f55b5..a173ced569 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -16,7 +16,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 11/15/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# Create a WDAC policy for lightly managed devices
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This section outlines the process to create a WDAC policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index bdb0bb25f6..0ea6e2d239 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Deploy catalog files to support Windows Defender Application Control
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 9ea7cc663a..2738724087 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -15,7 +15,7 @@ ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 07/19/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Use multiple Windows Defender Application Control Policies
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Prior to Windows 10 1903, WDAC only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index dea3b62b33..73098a0cc4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -15,7 +15,7 @@ ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Deploy Windows Defender Application Control policies by using Group Policy
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
> [!NOTE]
> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 29fbbe9431..3572e0f5f3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 04/29/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Deploy WDAC policies using Mobile Device Management (MDM)
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index 3dcca008bc..1ac9e541d2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -11,7 +11,7 @@ ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 07/19/2021
-ms.technology: mde
+ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
---
@@ -25,7 +25,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines.
@@ -41,7 +41,7 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10
Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
-For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager)
+For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
## Deploy custom WDAC policies using Packages/Programs or Task Sequences
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 2212ae92fb..4368a1ce60 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -10,8 +10,8 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
-ms.date: 04/14/2021
-ms.technology: mde
+ms.date: 11/06/2021
+ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
---
@@ -25,14 +25,14 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
> [!NOTE]
> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
-## Script-based deployment process for Windows 10 version 1903 and above
+## Deploying policies for Windows 10 version 1903 and above
1. Initialize the variables to be used by the script.
@@ -56,21 +56,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
& $RefreshPolicyTool
```
-### Deploying signed policies
-
-In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
-
-1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
-```powershell
-mountvol J: /S
-J:
-mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
-```
-
-2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active
-3. Reboot the system.
-
-## Script-based deployment process for Windows 10 versions earlier than 1903
+## Deploying policies for Windows 10 versions earlier than 1903
1. Initialize the variables to be used by the script.
@@ -91,3 +77,25 @@ mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
```powershell
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}
```
+
+## Deploying signed policies
+
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
+
+1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
+
+ ```powershell
+ $MountPoint = 'C:\EFI'
+ $EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active"
+ $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
+ mkdir $EFIDestinationFolder
+ mountvol $MountPoint $EFIPartition
+ ```
+
+2. Copy the signed policy to the created folder:
+
+ ```powershell
+ Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -Force
+ ```
+
+3. Restart the system.
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
index ad706276ac..6fa1b84ec0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Disable Windows Defender Application Control policies
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic covers how to disable unsigned or signed WDAC policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
index 5dd1fd73f9..e3969dba90 100644
--- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
@@ -11,7 +11,7 @@ ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 04/22/2021
-ms.technology: mde
+ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
---
@@ -25,7 +25,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
You should now have one or more WDAC policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode.
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index a87cd17fec..9acce652d1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 06/02/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding Application Control events
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index f5d7d82e37..e78284ae26 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 07/13/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding Application Control event tags
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 4e249a4f50..93c7ae9224 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -16,7 +16,7 @@ ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 11/15/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Application Control (WDAC) example base policies
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
When creating policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service.
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 8e813e308b..21ff82c26f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -16,7 +16,7 @@ ms.author: deniseb
manager: dansimp
ms.date: 07/29/2021
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Application Control and AppLocker feature availability
diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml
new file mode 100644
index 0000000000..ef5892459f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@@ -0,0 +1,117 @@
+### YamlMime:Landing
+
+title: Application Control for Windows
+metadata:
+ title: Application Control for Windows
+ description: Landing page for Windows Defender Application Control
+# services: service
+# ms.service: microsoft-WDAC-AppLocker
+# ms.subservice: Application-Control
+# ms.topic: landing-page
+# author: Kim Klein
+# ms.author: Jordan Geurten
+# manager: Jeffrey Sutherland
+# ms.update: 04/30/2021
+# linkListType: overview | how-to-guide | tutorial | video
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: Learn about Application Control
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What is Windows Defender Application Control (WDAC)?
+ url: wdac-and-applocker-overview.md
+ - text: What is AppLocker?
+ url: applocker\applocker-overview.md
+ - text: WDAC and AppLocker feature availability
+ url: feature-availability.md
+ # Card
+ - title: Learn about Policy Design
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Using code signing to simplify application control
+ url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+ - text: Microsoft's Recommended Blocklist
+ url: microsoft-recommended-block-rules.md
+ - text: Microsoft's Recommended Driver Blocklist
+ url: microsoft-recommended-driver-block-rules.md
+ - text: Example WDAC policies
+ url: example-wdac-base-policies.md
+ - text: LOB Win32 apps on S Mode
+ url: LOB-win32-apps-on-s.md
+ - text: Managing multiple policies
+ url: deploy-multiple-windows-defender-application-control-policies.md
+ - linkListType: how-to-guide
+ links:
+ - text: Create a WDAC policy for a lightly managed device
+ url: create-wdac-policy-for-lightly-managed-devices.md
+ - text: Create a WDAC policy for a fully managed device
+ url: create-wdac-policy-for-fully-managed-devices.md
+ - text: Create a WDAC policy for a fixed-workload
+ url: create-initial-default-policy.md
+ - text: Deploying catalog files for WDAC management
+ url: deploy-catalog-files-to-support-windows-defender-application-control.md
+ - text: Using the WDAC Wizard
+ url: wdac-wizard.md
+ #- linkListType: Tutorial (videos)
+ # links:
+ # - text: Using the WDAC Wizard
+ # url: video md
+ # - text: Specifying custom values
+ # url: video md
+ # Card
+ - title: Learn about Policy Configuration
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Understanding policy and file rules
+ url: select-types-of-rules-to-create.md
+ - linkListType: how-to-guide
+ links:
+ - text: Allow managed installer and configure managed installer rules
+ url: configure-authorized-apps-deployed-with-a-managed-installer.md
+ - text: Allow reputable apps with ISG
+ url: use-windows-defender-application-control-with-intelligent-security-graph.md
+ - text: Managed MSIX and Appx Packaged Apps
+ url: manage-packaged-apps-with-windows-defender-application-control.md
+ - text: Allow com object registration
+ url: allow-com-object-registration-in-windows-defender-application-control-policy.md
+ - text: Manage plug-ins, add-ins and modules
+ url: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+ # Card
+ - title: Learn how to deploy WDAC Policies
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Using signed policies to protect against tampering
+ url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+ - text: Audit and enforce policies
+ url: audit-and-enforce-windows-defender-application-control-policies.md
+ - text: Disabling WDAC policies
+ url: disable-windows-defender-application-control-policies.md
+ - linkListType: tutorial
+ links:
+ - text: Deployment with MDM
+ url: deploy-windows-defender-application-control-policies-using-intune.md
+ - text: Deployment with MEMCM
+ url: deployment/deploy-wdac-policies-with-memcm.md
+ - text: Deployment with script and refresh policy
+ url: deployment/deploy-wdac-policies-with-script.md
+ - text: Deployment with Group Policy
+ url: deploy-windows-defender-application-control-policies-using-group-policy.md
+ # Card
+ - title: Learn how to monitor WDAC events
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Understanding event IDs
+ url: event-id-explanations.md
+ - text: Understanding event Tags
+ url: event-tag-explanations.md
+ - linkListType: how-to-guide
+ links:
+ - text: Querying events using advanced hunting
+ url: querying-application-control-events-centrally-using-advanced-hunting.md
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
index 2d0ccf9451..8a26cf9a33 100644
--- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/29/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Manage Packaged Apps with Windows Defender Application Control
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
index f2561cb90c..4bb130103f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -11,7 +11,7 @@ ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 04/22/2021
-ms.technology: mde
+ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
---
@@ -25,7 +25,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases.
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 0365837d1b..71779ec0d3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -4,7 +4,7 @@ description: View a list of recommended block rules, based on knowledge shared b
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
-ms.technology: mde
+ms.technology: windows-sec
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -27,7 +27,7 @@ ms.date: 08/23/2021
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
@@ -89,6 +89,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
| `Brock Mammen`| |
| `Casey Smith` | `@subTee` |
| `Jimmy Bayne` | `@bohops` |
+| `Kim Oppalfens` | `@thewmiguy` |
| `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
| `Lee Christensen` | `@tifkin_` |
| `Matt Graeber` | `@mattifestation` |
@@ -151,7 +152,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
@@ -164,6 +165,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
+
@@ -181,7 +183,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
@@ -905,6 +907,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 56ff102873..608da5aa98 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -26,29 +26,34 @@ ms.date:
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
+Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
- Hypervisor-protected code integrity (HVCI) enabled devices
- Windows 10 in S mode (S mode) devices
-Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
-> [!Note]
-> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode.
+- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
+- Malicious behaviors (malware) or certificates used to sign malware
+- Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
+
+Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
+
+Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
```xml
- 10.0.19565.0
+ 10.0.22493.0{D2BDA982-CCF6-4344-AC5B-0B44427B6816}{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
-
+
@@ -59,6 +64,46 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -128,40 +173,161 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -174,22 +340,27 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
-
+
@@ -225,7 +396,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -247,17 +418,34 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
@@ -288,6 +476,50 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -303,11 +535,13 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
-
+
+
+
+
@@ -315,118 +549,288 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
@@ -441,7 +845,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
- 10.0.19565.0
+ 10.0.22493.0
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index 3cd76bde2b..a54661c0b2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -11,7 +11,7 @@ ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 04/14/2021
-ms.technology: mde
+ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
---
@@ -26,7 +26,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic covers tips and tricks for admins as well as known issues with WDAC.
Test this configuration in your lab before enabling it in production.
@@ -40,12 +40,12 @@ In some cases, the code integrity logs where WDAC errors and warnings are writte
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
For example, this command will not work:
-```code
+```console
msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
```
As a workaround, download the MSI file and run it locally:
-```code
+```console
msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 34df65fdf9..22ff2acf4f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/21/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Plan for Windows Defender Application Control lifecycle policy management
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 134acc8d1f..f5f01d8caa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 12/06/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Querying Application Control events centrally using Advanced hunting
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index ebd5c64dd6..e5bf200d59 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 07/15/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Understand Windows Defender Application Control (WDAC) policy rules and file rules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index a4f3db57bd..da525f4cf5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 03/01/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Application Control deployment in different scenarios: types of devices
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described.
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index b88bf43f44..4ea10512bd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -15,7 +15,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
ms.date: 02/08/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Understand Windows Defender Application Control policy design decisions
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index dae8561c9b..2f34416393 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Use code signing to simplify application control for classic Windows applications
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic covers guidelines for using code signing control classic Windows apps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index 73f07b3405..7311563492 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -15,7 +15,7 @@ author: jsuther1974
ms.reviewer: isbrahm
manager: dansimp
ms.date: 02/19/2019
-ms.technology: mde
+ms.technology: windows-sec
---
# Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 11d3f0df1e..578058661d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Use signed policies to protect Windows Defender Application Control against tampering
@@ -27,16 +27,16 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Signed WDAC policies give organizations the highest level of malware protection available in Windows. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
+Signed WDAC policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
-Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
+Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
-Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
+Before PKCS #7-signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
To sign a WDAC policy with SignTool.exe, you need the following components:
@@ -46,6 +46,9 @@ To sign a WDAC policy with SignTool.exe, you need the following components:
- An internal CA code signing certificate or a purchased code signing certificate
+> [!NOTE]
+> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652)
+
If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
1. Initialize the variables that will be used:
@@ -93,17 +96,16 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
```
-8. Sign the WDAC policy by using SignTool.exe:
+8. Sign ([PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652)) the WDAC policy by using SignTool.exe:
```powershell
sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
```
-
+
> [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
-
> [!NOTE]
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 22a1c3c03a..e00de62409 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -15,7 +15,7 @@ ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.date: 08/12/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index f1f66a910c..b1ace98992 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -14,8 +14,8 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 08/20/2018
-ms.technology: mde
+ms.date: 09/23/2021
+ms.technology: windows-sec
---
# Windows Defender Application Control and .NET hardening
@@ -31,10 +31,12 @@ Dynamic Code Security is not enabled by default because existing policies may no
Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
+Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/precompiling-your-website-cs) document for how to fix that.
+
To enable Dynamic Code Security, add the following option to the `` section of your policy:
```xml
-```
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 22c3b5e232..36aa766318 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 07/15/2021
-ms.technology: mde
+ms.technology: windows-sec
---
# Authorize reputable apps with the Intelligent Security Graph (ISG)
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index e8557445d0..bdb1f032a7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -16,7 +16,7 @@ ms.author: deniseb
manager: dansimp
ms.date: 09/30/2020
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Application Control and AppLocker Overview
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
index b0f068d8b7..4112532232 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
@@ -16,7 +16,7 @@ ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Creating a new Base Policy with the Wizard
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
@@ -66,7 +66,7 @@ A description of each policy rule, beginning with the left-most column, is provi
| **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. |
|**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
-| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
+| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by the Microsoft Intelligent Security Graph (ISG). |
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows–compatible driver must be WHQL certified. |
| **Update Policy without Rebooting** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
@@ -84,7 +84,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru
|------------ | ----------- |
| **Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
| **Disable Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. |
-| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
+| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that's only writable by an administrator) for any FileRule that allows a file based on FilePath. |
| **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). |
| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later, or Windows 11 drivers will meet this requirement. |
@@ -132,13 +132,12 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
### File Hash Rules
-Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level.
+Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause additional administrative overhead to maintain the current product version's hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level.
-
-#### Deleting Signing Rules
+#### Deleting Signing Rules
The policy signing rules list table on the left of the page will document the allow and deny rules in the template, as well as any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table.
## Up next
-- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)
\ No newline at end of file
+- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
index f11d86f9a7..c2b91d7090 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
@@ -16,7 +16,7 @@ ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Creating a new Supplemental Policy with the Wizard
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute.
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
index d696659c2a..10105e0039 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
@@ -16,7 +16,7 @@ ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Editing existing base and supplemental WDAC policies with the Wizard
@@ -28,13 +28,13 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
## Configuring Policy Rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
index 66ad01329f..4c286095a7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
@@ -16,7 +16,7 @@ ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Merging existing policies with the WDAC Wizard
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md
index 4cdeb72f21..8024e0f03b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md
@@ -16,7 +16,7 @@ ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Application Control Wizard
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index 40512b4dda..a247be4297 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -15,7 +15,7 @@ ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 05/16/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Deploying Windows Defender Application Control (WDAC) policies
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
You should now have one or more WDAC policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
index 13a6120369..469562b0c4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -16,7 +16,7 @@ ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 02/20/2018
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Application Control design guide
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
index 31c5d1fe8e..00ab146f0a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -15,7 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 03/16/2020
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Application Control operational guide
@@ -27,7 +27,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index abe51d1188..4e7a69a494 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -16,7 +16,7 @@ ms.author: deniseb
manager: dansimp
ms.date: 05/26/2020
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Application Control for Windows
@@ -28,7 +28,7 @@ ms.technology: mde
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index ed1a7fe460..203ac733d5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -21,36 +21,36 @@ ms.technology: mde
**Applies to**
-- Windows 10, version 1803 and later
+- Windows 10
+- Windows 11
-
-The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following:
+The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
- [Microsoft Account](https://account.microsoft.com/account/faq)
- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md)
- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
-You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
## Hide the Account protection section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-This can only be done in Group Policy.
+You can only configure these settings by using Group Policy.
>[!IMPORTANT]
>### Requirements
>
>You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
5. Expand the tree to **Windows components > Windows Security > Account protection**.
-6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**.
+6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 544e90142e..d9747dc21d 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -11,17 +11,18 @@ ms.localizationpriority: medium
audience: ITPro
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# App and browser control
**Applies to**
-- Windows 10, version 1703 and later
+- Windows 10
+- Windows 11
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
@@ -36,14 +37,11 @@ You can prevent users from modifying settings in the Exploit protection area. Th
You can only prevent users from modifying Exploit protection settings by using Group Policy.
> [!IMPORTANT]
->
-> ### Requirements
->
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
@@ -58,14 +56,11 @@ You can choose to hide the entire section by using Group Policy. The section wil
This can only be done in Group Policy.
> [!IMPORTANT]
->
-> ### Requirements
->
-> You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
@@ -76,4 +71,4 @@ This can only be done in Group Policy.
> [!NOTE]
> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
-> 
\ No newline at end of file
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 33a2c7d531..ab24b47475 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -10,29 +10,22 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 09/13/2021
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Customize the Windows Security app for your organization
**Applies to**
-- Windows 10, version 1709 and later
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
+- Windows 10
+- Windows 11
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
-
+
This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 13fce0f2d5..3672d5c25a 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -21,7 +21,8 @@ ms.technology: mde
**Applies to**
-- Windows 10, version 1703 and later
+- Windows 10
+- Windows 11
The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index f4d3053cd9..8526440bc9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -10,17 +10,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 10/02/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Device security
**Applies to**
-- Windows 10, version 1803 and later
+- Windows 10
+- Windows 11
The **Device security** section contains information and settings for built-in device security.
@@ -28,7 +29,7 @@ You can choose to hide the section from users of the machine. This can be useful
## Hide the Device security section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index 274c66bd66..a9e4a148c5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -21,8 +21,8 @@ ms.technology: mde
**Applies to**
-- Windows 10, version 1703 and later
-
+- Windows 10
+- Windows 11
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments.
@@ -33,7 +33,7 @@ In Windows 10, version 1709, the section can be hidden from users of the machine
## Hide the Family options section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 3a14dc7c26..924bcd1150 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -9,10 +9,10 @@ ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -20,8 +20,8 @@ ms.technology: mde
**Applies to**
-- Windows 10, version 1703 and later
-
+- Windows 10
+- Windows 11
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 0a1389c07b..a58b61c3b1 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -10,25 +10,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 07/23/2020
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Hide Windows Security app notifications
**Applies to**
-- Windows 10, version 1809 and above
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
+- Windows 10
+- Windows 11
The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 87960171d1..2d43e965ba 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -12,16 +12,15 @@ author: dansimp
ms.author: dansimp
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
-
# Virus and threat protection
**Applies to**
-- Windows 10, version 1703 and later
-
+- Windows 10
+- Windows 11
The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 30cc06c3d0..2b298178cb 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -13,7 +13,7 @@ ms.author: dansimp
ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Manage Windows Security in Windows 10 in S mode
@@ -22,19 +22,11 @@ ms.technology: mde
- Windows 10 in S mode, version 1803
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Microsoft Intune
-
Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software.
The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
-
+:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png":::
For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index cb27db7bfd..2f22a993dd 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -11,14 +11,15 @@ author: dansimp
ms.author: dansimp
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# The Windows Security app
**Applies to**
-- Windows 10, version 1703 and later
+- Windows 10
+- Windows 11
This library describes the Windows Security app, and provides information on configuring certain features, including:
@@ -77,16 +78,16 @@ You can find more information about each section, including options for configur
> [!IMPORTANT]
> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
>
-> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](/previous-versions/windows/it-pro/windows-xp/bb457154(v=technet.10)#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service ([*wscsvc*](/previous-versions/windows/it-pro/windows-xp/bb457154(v=technet.10)#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
>
>These services do not affect the state of Microsoft Defender Antivirus. Disabling or modifying these services will not disable Microsoft Defender Antivirus, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.
>
>Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
-> Disabling the Windows Security Center service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
+> Disabling the Windows Security Center Service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
> [!WARNING]
-> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> If you disable the Windows Security Center Service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>
> It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
>
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 848345ef8b..128243e87c 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -13,7 +13,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.date: 03/01/2019
-ms.technology: mde
+ms.technology: windows-sec
---
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 55321967df..c73336b070 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -12,7 +12,7 @@ ms.date: 07/01/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# System Guard Secure Launch and SMM protection
@@ -25,7 +25,7 @@ You can enable System Guard Secure Launch by using any of these options:
- [Mobile Device Management (MDM)](#mobile-device-management)
- [Group Policy](#group-policy)
-- [Windows Security Center](#windows-security-center)
+- [Windows Security app](#windows-security-app)
- [Registry](#registry)
### Mobile Device Management
@@ -34,17 +34,17 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
### Group Policy
-1. Click **Start** > type and then click **Edit group policy**.
+1. Click **Start** > type and then click **Edit group policy**.
2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
-### Windows Security Center
+### Windows Security app
Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
- 
+ 
### Registry
@@ -54,7 +54,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
-4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
+4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
5. Double-click **Enabled**, change the value to **1**, and click **OK**.
@@ -64,7 +64,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
-
+
> [!NOTE]
> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml
index efaa07fa4e..ca84e461a5 100644
--- a/windows/security/threat-protection/windows-firewall/TOC.yml
+++ b/windows/security/threat-protection/windows-firewall/TOC.yml
@@ -250,3 +250,5 @@
href: quarantine.md
- name: Firewall settings lost on upgrade
href: firewall-settings-lost-on-upgrade.md
+- name: Windows security
+ href: /windows/security/
diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
index 9995f497a4..0ffe9699ca 100644
--- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -1,5 +1,5 @@
---
-title: Add Production Devices to the Membership Group for a Zone (Windows 10)
+title: Add Production Devices to the Membership Group for a Zone (Windows)
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Add Production Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
index 30d809e60c..e3a45c598a 100644
--- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -1,5 +1,5 @@
---
-title: Add Test Devices to the Membership Group for a Zone (Windows 10)
+title: Add Test Devices to the Membership Group for a Zone (Windows)
description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Add Test Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index 0345da06fe..1a7d5dd07e 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -1,5 +1,5 @@
---
-title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
+title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows)
description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Appendix A: Sample GPO Template Files for Settings Used in this Guide
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index 08a9798526..221490f2e9 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -1,5 +1,5 @@
---
-title: Assign Security Group Filters to the GPO (Windows 10)
+title: Assign Security Group Filters to the GPO (Windows)
description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/02/2019
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Assign Security Group Filters to the GPO
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 76378c3a0f..2523d0ce01 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Basic Firewall Policy Design (Windows 10)
+title: Basic Firewall Policy Design (Windows)
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
ms.reviewer:
@@ -14,14 +14,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
# Basic Firewall Policy Design
**Applies to**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
@@ -37,7 +38,7 @@ Many network administrators do not want to tackle the difficult task of determin
For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
-- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
+- For other standard network behavior, the predefined rules that are built into Windows 11, Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index 5819f886fd..aa02076a04 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -13,16 +13,17 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.technology: mde
+ms.technology: windows-sec
---
# Best practices for configuring Windows Defender Firewall
**Applies to**
-- Windows operating systems including Windows 10
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
-- Windows Server Operating Systems
Windows Defender Firewall with Advanced Security provides host-based, two-way
network traffic filtering and blocks unauthorized network traffic flowing into
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
index 50e2f66e16..e867dc86b4 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
@@ -1,5 +1,5 @@
---
-title: Boundary Zone GPOs (Windows 10)
+title: Boundary Zone GPOs (Windows)
description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Boundary Zone GPOs
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 37d7edb647..11c757ec1c 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -1,5 +1,5 @@
---
-title: Boundary Zone (Windows 10)
+title: Boundary Zone (Windows)
description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
ms.reviewer:
@@ -14,23 +14,24 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Boundary Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
-In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
+In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device.
-The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it.
+The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it.
-Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
+These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision.
@@ -38,7 +39,7 @@ The goal of this process is to determine whether the risk of adding a device to
You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
-Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+ [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group.
## GPO settings for boundary zone servers running at least Windows Server 2008
@@ -49,13 +50,13 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i
1. Exempt all ICMP traffic from IPsec.
- 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
+ 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES, and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
- 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems..
+ 3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
- 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
+ 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
- The following connection security rules:
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index 1b369d6c5e..2904f65cb4 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -1,5 +1,5 @@
---
-title: Certificate-based Isolation Policy Design Example (Windows 10)
+title: Certificate-based Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Certificate-based Isolation Policy Design Example
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 7c427d50e7..f134b8f1db 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Certificate-based Isolation Policy Design (Windows 10)
+title: Certificate-based Isolation Policy Design (Windows)
description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Certificate-based isolation policy design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index cbea6cabc0..fe2aeb49e8 100644
--- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -1,5 +1,5 @@
---
-title: Change Rules from Request to Require Mode (Windows 10)
+title: Change Rules from Request to Require Mode (Windows)
description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Change Rules from Request to Require Mode
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
index a3164b6f45..18558ef571 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Basic Firewall Settings (Windows 10)
+title: Checklist Configuring Basic Firewall Settings (Windows)
description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Configuring Basic Firewall Settings
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
index 2ecb358ade..296c1e7556 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
+title: Checklist Configuring Rules for an Isolated Server Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Configuring Rules for an Isolated Server Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
index c07a12c977..4c9332aa61 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10)
+title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows)
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
index e10ef7fc18..4fa942aac8 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
+title: Checklist Configuring Rules for the Boundary Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Configuring Rules for the Boundary Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
index 180c4f2168..f543b9606f 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
+title: Checklist Configuring Rules for the Encryption Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Configuring Rules for the Encryption Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
index 2bccefd09c..e5e7186579 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
+title: Checklist Configuring Rules for the Isolated Domain (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Configuring Rules for the Isolated Domain
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
index d2ba4b5a27..1796cc336e 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -1,5 +1,5 @@
---
-title: Checklist Creating Group Policy Objects (Windows 10)
+title: Checklist Creating Group Policy Objects (Windows)
description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Creating Group Policy Objects
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
@@ -30,7 +31,7 @@ The checklists for firewall, domain isolation, and server isolation include a li
## About membership groups
-For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
+For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
## About exclusion groups
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
index 834016bd7b..cb5f132795 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
@@ -1,5 +1,5 @@
---
-title: Checklist Creating Inbound Firewall Rules (Windows 10)
+title: Checklist Creating Inbound Firewall Rules (Windows)
description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Creating Inbound Firewall Rules
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for creating firewall rules in your GPOs.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
index b20cb735f9..cc6976169c 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
@@ -1,5 +1,5 @@
---
-title: Checklist Creating Outbound Firewall Rules (Windows 10)
+title: Checklist Creating Outbound Firewall Rules (Windows)
description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Creating Outbound Firewall Rules
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for creating outbound firewall rules in your GPOs.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
index 4a4c525867..62905bf49e 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -1,5 +1,5 @@
---
-title: Create Rules for Standalone Isolated Server Zone Clients (Windows 10)
+title: Create Rules for Standalone Isolated Server Zone Clients (Windows)
description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index 1aa6060a8c..c9c577bc2e 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
+title: Checklist Implementing a Basic Firewall Policy Design (Windows)
description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Implementing a Basic Firewall Policy Design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
@@ -35,7 +36,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co
| Task | Reference |
| - | - |
| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Basic Firewall Policy Design](basic-firewall-policy-design.md) [Firewall Policy Design Example](firewall-policy-design-example.md) [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
-| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 11, Windows 10, and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10 or Windows 11, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|
| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)|
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 52c11e99ed..a1183f3f52 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
+title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows)
description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Implementing a Certificate-based Isolation Policy Design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 1261adcbb9..6a6f01d952 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
+title: Checklist Implementing a Domain Isolation Policy Design (Windows)
description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Implementing a Domain Isolation Policy Design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index 1d53748cc1..3090ba97d5 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
+title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows)
description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists.
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Checklist: Implementing a Standalone Server Isolation Policy Design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
index e6fd6b4090..7522322a6f 100644
--- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
@@ -1,5 +1,5 @@
---
-title: Configure Authentication Methods (Windows 10)
+title: Configure Authentication Methods (Windows)
description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Configure Authentication Methods
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 41b2b78f6c..99a5795add 100644
--- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -1,5 +1,5 @@
---
-title: Configure Data Protection (Quick Mode) Settings (Windows 10)
+title: Configure Data Protection (Quick Mode) Settings (Windows)
description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Configure Data Protection (Quick Mode) Settings
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index cfc3364fe7..ef75edf628 100644
--- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -1,5 +1,5 @@
---
-title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
+title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows)
description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Configure Group Policy to Autoenroll and Deploy Certificates
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index f1b75a3291..6e18c1001c 100644
--- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -1,5 +1,5 @@
---
-title: Configure Key Exchange (Main Mode) Settings (Windows 10)
+title: Configure Key Exchange (Main Mode) Settings (Windows)
description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Configure Key Exchange (Main Mode) Settings
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index 561ea0f380..c7c3f8fafc 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -1,5 +1,5 @@
---
-title: Configure the Rules to Require Encryption (Windows 10)
+title: Configure the Rules to Require Encryption (Windows)
description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption.
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.reviewer:
@@ -14,8 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Configure the Rules to Require Encryption
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 4c82249ccd..c7d71a4f26 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -1,5 +1,5 @@
---
-title: Configure the Windows Defender Firewall Log (Windows 10)
+title: Configure the Windows Defender Firewall Log (Windows)
description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Configure the Windows Defender Firewall with Advanced Security Log
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 7ff2117797..f0c5bb8bdf 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -1,5 +1,5 @@
---
-title: Configure the Workstation Authentication Template (Windows 10)
+title: Configure the Workstation Authentication Template (Windows)
description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.reviewer:
@@ -11,15 +11,16 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
-ms.date: 07/30/2018
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Configure the Workstation Authentication Certificate Template
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index 200675b11a..9a23ea1f28 100644
--- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10)
+title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows)
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
index 8af8ad2d89..45aac5c3bd 100644
--- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
@@ -1,5 +1,5 @@
---
-title: Confirm That Certificates Are Deployed Correctly (Windows 10)
+title: Confirm That Certificates Are Deployed Correctly (Windows)
description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Confirm That Certificates Are Deployed Correctly
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index 4020fab006..16fa98ba4f 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -1,5 +1,5 @@
---
-title: Copy a GPO to Create a New GPO (Windows 10)
+title: Copy a GPO to Create a New GPO (Windows)
description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Copy a GPO to Create a New GPO
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
@@ -56,4 +57,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr
12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**.
-13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.
+13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
index 3511ad7f7f..7f5899e2f5 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
@@ -1,5 +1,5 @@
---
-title: Create a Group Account in Active Directory (Windows 10)
+title: Create a Group Account in Active Directory (Windows)
description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create a Group Account in Active Directory
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index e6e1e18867..c1f6da0c2a 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -1,5 +1,5 @@
---
-title: Create a Group Policy Object (Windows 10)
+title: Create a Group Policy Object (Windows)
description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create a Group Policy Object
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index 35cb8d066a..513807383f 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Authentication Exemption List Rule (Windows 10)
+title: Create an Authentication Exemption List Rule (Windows)
description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create an Authentication Exemption List Rule
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
index 43156e1bc5..037a451dee 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Authentication Request Rule (Windows 10)
+title: Create an Authentication Request Rule (Windows)
description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate.
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create an Authentication Request Rule
**Applies to:**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
index c56953f28c..da5b7f7f20 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Inbound ICMP Rule (Windows 10)
+title: Create an Inbound ICMP Rule (Windows)
description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create an Inbound ICMP Rule
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index 05df6a67cc..93586077a2 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Inbound Port Rule (Windows 10)
+title: Create an Inbound Port Rule (Windows)
description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create an Inbound Port Rule
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall
with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index bd01350eee..bb976db9c3 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Inbound Program or Service Rule (Windows 10)
+title: Create an Inbound Program or Service Rule (Windows)
description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create an Inbound Program or Service Rule
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
index a463162a4d..e38e364c07 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Outbound Port Rule (Windows 10)
+title: Create an Outbound Port Rule (Windows)
description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create an Outbound Port Rule
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
index fe0b68eb1d..15141a8aff 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Outbound Program or Service Rule (Windows 10)
+title: Create an Outbound Program or Service Rule (Windows)
description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules.
ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create an Outbound Program or Service Rule
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index 59cb4d71cb..9539084377 100644
--- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -1,5 +1,5 @@
---
-title: Create Inbound Rules to Support RPC (Windows 10)
+title: Create Inbound Rules to Support RPC (Windows)
description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create Inbound Rules to Support RPC
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 479b2e67af..e8872fb1a3 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -1,5 +1,5 @@
---
-title: Create Windows Firewall rules in Intune (Windows 10)
+title: Create Windows Firewall rules in Intune (Windows)
description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
@@ -14,19 +14,21 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
# Create Windows Firewall rules in Intune
**Applies to**
- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!IMPORTANT]
>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
To get started, open Device Configuration in Intune, then create a new profile.
-Choose Windows 10 as the platform, and Endpoint Protection as the profile type.
+Choose Windows 10 or Windows 11 as the platform, and Endpoint Protection as the profile type.
Select Windows Defender Firewall.
@@ -35,7 +37,7 @@ Select Windows Defender Firewall.
## Firewall rule components
-The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp).
+The firewall rule configurations in Intune use the Windows CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp).
## Application
Control connections for an app or program.
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 78d50e3732..6d9896ef84 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -1,5 +1,5 @@
---
-title: Create WMI Filters for the GPO (Windows 10)
+title: Create WMI Filters for the GPO (Windows)
description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows.
ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/16/2021
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Create WMI Filters for the GPO
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
@@ -58,13 +59,13 @@ First, create the WMI filter and configure it to look for a specified version (o
select * from Win32_OperatingSystem where Version like "6.%"
```
- This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 10 and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following:
+ This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 11, Windows 10, and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following:
``` syntax
... where Version like "6.1%" or Version like "6.2%"
```
- To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
+ To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 and Windows 11 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
The following clause returns **true** for all devices that are not domain controllers:
@@ -72,7 +73,7 @@ First, create the WMI filter and configure it to look for a specified version (o
... where ProductType="1" or ProductType="3"
```
- The following complete query returns **true** for all devices running Windows 10, and returns **false** for any server operating system or any other client operating system.
+ The following complete query returns **true** for all devices running Windows 10 and Windows 11, and returns **false** for any server operating system or any other client operating system.
``` syntax
select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index 68a9281a43..bb72548e1a 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,5 +1,5 @@
---
-title: Designing a Windows Defender Firewall Strategy (Windows 10)
+title: Designing a Windows Defender Firewall Strategy (Windows)
description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Designing a Windows Defender Firewall with Advanced Security Strategy
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index 89fca32581..be0ce97138 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -1,5 +1,5 @@
---
-title: Determining the Trusted State of Your Devices (Windows 10)
+title: Determining the Trusted State of Your Devices (Windows)
description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security.
ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Determining the Trusted State of Your Devices
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status.
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index e8f37ee452..6b8adafa56 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -1,5 +1,5 @@
---
-title: Documenting the Zones (Windows 10)
+title: Documenting the Zones (Windows)
description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security.
ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Documenting the Zones
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here:
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 8f27c49ab5..ec6e6a670b 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -1,5 +1,5 @@
---
-title: Domain Isolation Policy Design Example (Windows 10)
+title: Domain Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Domain Isolation Policy Design Example
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 659827d1c6..0f112cdfa7 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Domain Isolation Policy Design (Windows 10)
+title: Domain Isolation Policy Design (Windows)
description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain.
ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Domain Isolation Policy Design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
index 0a1b0212b6..cd420e5088 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
@@ -1,5 +1,5 @@
---
-title: Enable Predefined Inbound Rules (Windows 10)
+title: Enable Predefined Inbound Rules (Windows)
description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions.
ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Enable Predefined Inbound Rules
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
index 28e4f8649e..0102f9ee3a 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -1,5 +1,5 @@
---
-title: Enable Predefined Outbound Rules (Windows 10)
+title: Enable Predefined Outbound Rules (Windows)
description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security.
ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/07/2021
+ms.technology: windows-sec
---
# Enable Predefined Outbound Rules
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
index 9dc32a7f67..6d909df105 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
@@ -1,5 +1,5 @@
---
-title: Encryption Zone GPOs (Windows 10)
+title: Encryption Zone GPOs (Windows)
description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security.
ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Encryption Zone GPOs
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index 3fba99acba..fe2e9815a6 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -1,5 +1,5 @@
---
-title: Encryption Zone (Windows 10)
+title: Encryption Zone (Windows)
description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted.
ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Encryption Zone
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
index 2f7a20377f..0a1c8c3094 100644
--- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -1,5 +1,5 @@
---
-title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10)
+title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows)
description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Evaluating Windows Defender Firewall with Advanced Security Design Examples
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.
diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
index 38c6fd67c7..686d6ff871 100644
--- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -1,5 +1,5 @@
---
-title: Exempt ICMP from Authentication (Windows 10)
+title: Exempt ICMP from Authentication (Windows)
description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security.
ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Exempt ICMP from Authentication
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index b923df309c..c060789ce3 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -1,5 +1,5 @@
---
-title: Exemption List (Windows 10)
+title: Exemption List (Windows)
description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions.
ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Exemption List
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index 718505a9d7..ca7cb954eb 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -13,7 +13,7 @@ ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
-ms.technology: mde
+ms.technology: windows-sec
---
# Filter origin audit log improvements
diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
index faa8a0d788..c6815864d5 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -1,5 +1,5 @@
---
-title: Firewall GPOs (Windows 10)
+title: Firewall GPOs (Windows)
description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain.
ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Firewall GPOs
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 5a6acfea96..e130a76c47 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -1,5 +1,5 @@
---
-title: Basic Firewall Policy Design Example (Windows 10)
+title: Basic Firewall Policy Design Example (Windows)
description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security.
ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Basic Firewall Policy Design Example
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
In this example, the fictitious company Woodgrove Bank is a financial services institution.
@@ -67,7 +68,7 @@ Other traffic notes:
Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices:
-- Client devices that run Windows 10, Windows 8, or Windows 7
+- Client devices that run Windows 11, Windows 10, Windows 8, or Windows 7
- WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
index cb36df4ddd..562716bc3b 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
@@ -13,7 +13,7 @@ ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
-ms.technology: mde
+ms.technology: windows-sec
---
# Troubleshooting Windows Firewall settings after a Windows upgrade
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index 35ed36b193..32c6dd328f 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -1,5 +1,5 @@
---
-title: Gathering Information about Your Active Directory Deployment (Windows 10)
+title: Gathering Information about Your Active Directory Deployment (Windows)
description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment.
ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Gathering Information about Your Active Directory Deployment
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed:
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 97aed509bc..65ecfd3af8 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -1,5 +1,5 @@
---
-title: Gathering Info about Your Network Infrastructure (Windows 10)
+title: Gathering Info about Your Network Infrastructure (Windows)
description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment.
ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Gathering Information about Your Current Network Infrastructure
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 1e9b7fee54..0e57c0e9a9 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -1,5 +1,5 @@
---
-title: Gathering Information about Your Devices (Windows 10)
+title: Gathering Information about Your Devices (Windows)
description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment.
ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Gathering Information about Your Devices
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index e75e426e2c..3a143a59c5 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -1,5 +1,5 @@
---
-title: Gathering Other Relevant Information (Windows 10)
+title: Gathering Other Relevant Information (Windows)
description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization.
ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Gathering Other Relevant Information
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization.
diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index fbdf23f73f..8482a7cd65 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -1,5 +1,5 @@
---
-title: Gathering the Information You Need (Windows 10)
+title: Gathering the Information You Need (Windows)
description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment.
ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Gathering the Information You Need
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index 4ea713f793..afa8e8f5cc 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -1,5 +1,5 @@
---
-title: GPO\_DOMISO\_Boundary (Windows 10)
+title: GPO\_DOMISO\_Boundary (Windows)
description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices.
ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# GPO\_DOMISO\_Boundary
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index 7c81975bea..d1ca928d07 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -1,5 +1,5 @@
---
-title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10)
+title: GPO\_DOMISO\_Encryption\_WS2008 (Windows)
description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests.
ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
ms.reviewer:
@@ -14,8 +14,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# GPO\_DOMISO\_Encryption\_WS2008
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index 7799c8484f..662dd03f50 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -1,5 +1,5 @@
---
-title: GPO\_DOMISO\_Firewall (Windows 10)
+title: GPO\_DOMISO\_Firewall (Windows)
description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools.
ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# GPO\_DOMISO\_Firewall
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall
with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index c5c16902b2..bed380f50e 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -1,5 +1,5 @@
---
-title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10)
+title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows)
description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# GPO\_DOMISO\_IsolatedDomain\_Clients
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index a7e5651251..84d2f5ce16 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -1,6 +1,6 @@
---
-title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10)
-description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
+title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows)
+description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3
ms.reviewer:
ms.author: dansimp
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# GPO\_DOMISO\_IsolatedDomain\_Servers
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
@@ -33,4 +34,3 @@ Because so many of the settings and rules for this GPO are common to those in th
>**Important:** Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
**Next:** [Boundary Zone GPOs](boundary-zone-gpos.md)
-
diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 738e348ccd..6746a2c01c 100644
--- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,5 +1,5 @@
---
-title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows 10)
+title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows)
description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
ms.reviewer:
@@ -14,14 +14,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Identifying Windows Defender Firewall with Advanced Security implementation goals
**Applies to**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios.
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 265019f489..9f16389687 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -1,5 +1,5 @@
---
-title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10)
+title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows)
description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The following are important factors in the implementation of your Windows Defender Firewall design plan:
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
index 878839f37f..ccaefb1de6 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
@@ -1,5 +1,5 @@
---
-title: Isolated Domain GPOs (Windows 10)
+title: Isolated Domain GPOs (Windows)
description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Isolated Domain GPOs
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index b9656fd06d..af0a3cd985 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -1,5 +1,5 @@
---
-title: Isolated Domain (Windows 10)
+title: Isolated Domain (Windows)
description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e
ms.reviewer:
@@ -14,16 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Isolated Domain
**Applies to:**
-- Windows 10
-- Windows Server 2016
-- Windows Server 2019
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone.
diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
index bfd7f19f0a..642c968859 100644
--- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -1,5 +1,5 @@
---
-title: Isolating Microsoft Store Apps on Your Network (Windows 10)
+title: Isolating Microsoft Store Apps on Your Network (Windows)
description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -11,17 +11,18 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 10/13/2017
+ms.date: 09/08/2021
ms.reviewer:
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Isolating Microsoft Store Apps on Your Network
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
@@ -65,7 +66,7 @@ To isolate Microsoft Store apps on your network, you need to use Group Policy to
- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules.
- >**Note:** You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+ >**Note:** You can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
## Step 1: Define your network
diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
index 7759669531..472e264155 100644
--- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
+++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
@@ -1,5 +1,5 @@
---
-title: Link the GPO to the Domain (Windows 10)
+title: Link the GPO to the Domain (Windows)
description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Link the GPO to the Domain
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index ee043c54a0..4d847f7055 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -1,5 +1,5 @@
---
-title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10)
+title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows)
description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Mapping your implementation goals to a Windows Firewall with Advanced Security design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
> [!IMPORTANT]
diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index 2f2ec6ad54..e2e209ff07 100644
--- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -1,5 +1,5 @@
---
-title: Modify GPO Filters (Windows 10)
+title: Modify GPO Filters (Windows)
description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Modify GPO Filters to Apply to a Different Zone or Version of Windows
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
index 7046b6230b..7b4d920b83 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -1,5 +1,5 @@
---
-title: Open the Group Policy Management Console to IP Security Policies (Windows 10)
+title: Open the Group Policy Management Console to IP Security Policies (Windows)
description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Open the Group Policy Management Console to IP Security Policies
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 5c3d340ea4..d55f5793ea 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -1,5 +1,5 @@
---
-title: Group Policy Management of Windows Firewall with Advanced Security (Windows 10)
+title: Group Policy Management of Windows Firewall with Advanced Security (Windows)
description: Group Policy Management of Windows Firewall with Advanced Security
ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Group Policy Management of Windows Firewall with Advanced Security
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index 2c7d2f500b..77e7c364b3 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,5 +1,5 @@
---
-title: Group Policy Management of Windows Defender Firewall (Windows 10)
+title: Group Policy Management of Windows Defender Firewall (Windows)
description: Group Policy Management of Windows Defender Firewall with Advanced Security
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/02/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Group Policy Management of Windows Defender Firewall
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To open a GPO to Windows Defender Firewall:
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index 1b99cfae07..c46ba8f97f 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,5 +1,5 @@
---
-title: Open Windows Defender Firewall with Advanced Security (Windows 10)
+title: Open Windows Defender Firewall with Advanced Security (Windows)
description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Open Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure shows you how to open the Windows Defender Firewall with Advanced Security console.
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 0f8b7c455f..c5d10098c9 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -1,5 +1,5 @@
---
-title: Planning Certificate-based Authentication (Windows 10)
+title: Planning Certificate-based Authentication (Windows)
description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning Certificate-based Authentication
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication.
diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
index af5214261c..a5c690294e 100644
--- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
@@ -1,5 +1,5 @@
---
-title: Planning Domain Isolation Zones (Windows 10)
+title: Planning Domain Isolation Zones (Windows)
description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning Domain Isolation Zones
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment.
diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
index 0f0993409e..81d3ffeabe 100644
--- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
@@ -1,5 +1,5 @@
---
-title: Planning GPO Deployment (Windows 10)
+title: Planning GPO Deployment (Windows)
description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning GPO Deployment
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
You can control which GPOs are applied to devices in Active Directory in a combination of three ways:
diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
index 7899c1c091..3002cef090 100644
--- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -1,5 +1,5 @@
---
-title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10)
+title: Planning Group Policy Deployment for Your Isolation Zones (Windows)
description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning Group Policy Deployment for Your Isolation Zones
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan.
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index c4fff5ce81..6cf3ebe60c 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,5 +1,5 @@
---
-title: Planning Isolation Groups for the Zones (Windows 10)
+title: Planning Isolation Groups for the Zones (Windows)
description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning Isolation Groups for the Zones
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone.
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index 57d452edac..9a897f0089 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -1,5 +1,5 @@
---
-title: Planning Network Access Groups (Windows 10)
+title: Planning Network Access Groups (Windows)
description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning Network Access Groups
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required.
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index a89145ab4a..9e87ee9790 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -1,5 +1,5 @@
---
-title: Planning Server Isolation Zones (Windows 10)
+title: Planning Server Isolation Zones (Windows)
description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning Server Isolation Zones
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server.
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index ce989c23c6..ed55752803 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -1,5 +1,5 @@
---
-title: Planning Settings for a Basic Firewall Policy (Windows 10)
+title: Planning Settings for a Basic Firewall Policy (Windows)
description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning Settings for a Basic Firewall Policy
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index 8bb1208626..74e85fa1a0 100644
--- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -1,5 +1,5 @@
---
-title: Planning the GPOs (Windows 10)
+title: Planning the GPOs (Windows)
description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning the GPOs
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones.
@@ -42,7 +43,7 @@ A few things to consider as you plan the GPOs:
- Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
-*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10.
+*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10 and Windows 11.
> [!NOTE]
> Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index 7dabf87126..d651e8e71b 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -1,5 +1,5 @@
---
-title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10)
+title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows)
description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization.
ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning to Deploy Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization.
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 437bb3fbeb..66140941f1 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,5 +1,5 @@
---
-title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10)
+title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows)
description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment.
ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Planning Your Windows Defender Firewall with Advanced Security Design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
index e301390ef9..e45fb6c5e6 100644
--- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -1,5 +1,5 @@
---
-title: Procedures Used in This Guide (Windows 10)
+title: Procedures Used in This Guide (Windows)
description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide.
ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Procedures Used in This Guide
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index 233776996f..c0a822af53 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -1,5 +1,5 @@
---
-title: Protect devices from unwanted network traffic (Windows 10)
+title: Protect devices from unwanted network traffic (Windows)
description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy.
ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Protect devices from unwanted network traffic
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index bd087a2124..83309d4b1b 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -14,8 +14,8 @@ ms.localizationpriority: normal
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 11/17/2020
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Quarantine behavior
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 8fbeb35412..5ae57cd35b 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -1,5 +1,5 @@
---
-title: Require Encryption When Accessing Sensitive Network Resources (Windows 10)
+title: Require Encryption When Accessing Sensitive Network Resources (Windows)
description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted.
ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Require Encryption When Accessing Sensitive Network Resources
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted.
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index 1a7c288575..4e8ca4f98b 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -1,5 +1,5 @@
---
-title: Restrict Access to Only Specified Users or Devices (Windows 10)
+title: Restrict Access to Only Specified Users or Devices (Windows)
description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security.
ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Restrict Access to Only Specified Users or Computers
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 5285e56ad9..287942862c 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -1,5 +1,5 @@
---
-title: Restrict access to only trusted devices (Windows 10)
+title: Restrict access to only trusted devices (Windows)
description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices.
ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Restrict access to only trusted devices
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required.
diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
index a9a24aa516..35882149d3 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
@@ -1,5 +1,5 @@
---
-title: Restrict Server Access to Members of a Group Only (Windows 10)
+title: Restrict Server Access to Members of a Group Only (Windows)
description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group.
ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Restrict Server Access to Members of a Group Only
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group.
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index 8cb2a35d50..70ebf3fd75 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -1,5 +1,5 @@
---
-title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10)
+title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows)
description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -11,17 +11,18 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/08/2021
ms.reviewer:
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Securing End-to-End IPsec connections by using IKEv2
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
IKEv2 offers the following:
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index bb23429112..9ec9d59a12 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -1,5 +1,5 @@
---
-title: Server Isolation GPOs (Windows 10)
+title: Server Isolation GPOs (Windows)
description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security.
ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Server Isolation GPOs
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose.
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index a0070cf114..59eb498be0 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -1,5 +1,5 @@
---
-title: Server Isolation Policy Design Example (Windows 10)
+title: Server Isolation Policy Design Example (Windows)
description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company.
ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Server Isolation Policy Design Example
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section.
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 7d44e7c17c..92ff6b97db 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Server Isolation Policy Design (Windows 10)
+title: Server Isolation Policy Design (Windows)
description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group.
ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Server Isolation Policy Design
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG).
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
index 5e4d391f7f..3e3a5b108f 100644
--- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -13,7 +13,7 @@ ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
-ms.technology: mde
+ms.technology: windows-sec
---
# Troubleshooting UWP App Connectivity Issues
diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
index b6a468447e..0ae4b4f8dd 100644
--- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -1,5 +1,5 @@
---
-title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows 10)
+title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows)
description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index 6a77eda3f7..d6dbf5fd5a 100644
--- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -1,5 +1,5 @@
---
-title: Understand WFAS Deployment (Windows 10)
+title: Understand WFAS Deployment (Windows)
description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -11,10 +11,10 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/08/2021
ms.reviewer:
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Understanding the Windows Defender Firewall with Advanced Security Design Process
diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 113c3c0cc2..61ffa9d578 100644
--- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -1,5 +1,5 @@
---
-title: Verify That Network Traffic Is Authenticated (Windows 10)
+title: Verify That Network Traffic Is Authenticated (Windows)
description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication.
ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Verify That Network Traffic Is Authenticated
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot.
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index bf70a3a3b7..b00b59d00e 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
+title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows)
description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -11,17 +11,18 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/08/2021
ms.reviewer:
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index 9a3954cc03..dfcf6cfc99 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Firewall with Advanced Security deployment overview (Windows 10)
+title: Windows Defender Firewall with Advanced Security deployment overview (Windows)
description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network.
ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Windows Defender Firewall with Advanced Security deployment overview
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index e1a438412f..38545a3d40 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Firewall with Advanced Security design guide (Windows 10)
+title: Windows Defender Firewall with Advanced Security design guide (Windows)
description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise.
ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
ms.reviewer:
@@ -14,15 +14,16 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 10/05/2017
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# Windows Defender Firewall with Advanced Security design guide
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
@@ -87,7 +88,7 @@ The following table identifies and defines terms used throughout this guide.
| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.|
| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
-| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall. By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall. By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones). In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index e3becc881c..989c1be1a1 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Firewall with Advanced Security (Windows 10)
+title: Windows Defender Firewall with Advanced Security (Windows)
description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -12,18 +12,18 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 10/21/2020
+ms.date: 09/08/2021
ms.reviewer:
ms.custom: asr
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Defender Firewall with Advanced Security
**Applies to**
-- Windows 10
-- Windows Server 2016
-- Windows Server 2019
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index 6b859eac3c..d87f9d1dcc 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -11,7 +11,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 3/20/2019
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Common Criteria Certifications
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
index 40ce6c2dea..31d3aba69a 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -11,7 +11,7 @@ ms.topic: article
ms.localizationpriority:
ms.date:
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Sandbox architecture
@@ -42,7 +42,7 @@ Because Windows Sandbox runs the same operating system image as the host, it has
## Integrated kernel scheduler
-With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
+With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 1f1a23bd49..cd5f7a2082 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -11,7 +11,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date:
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Sandbox configuration
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 0fec75ee34..2a3f6d6dc3 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -11,7 +11,7 @@ ms.topic: article
ms.localizationpriority:
ms.date:
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows Sandbox
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
deleted file mode 100644
index 8e719f1364..0000000000
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Windows security baselines
-description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server, and Microsoft 365 Apps for enterprise.
-keywords: virtualization, security, malware
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dulcemontemayor
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 06/25/2018
-ms.reviewer:
-ms.technology: mde
----
-
-# Windows security baselines
-
-**Applies to**
-
-- Windows 10
-- Windows Server
-- Microsoft 365 Apps for enterprise
-- Microsoft Edge
-
-## Using security baselines in your organization
-
-Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.
-
-Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
-
-We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs.
-
-Here is a good blog about [Sticking with Well-Known and Proven Solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions).
-
-## What are security baselines?
-
-Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
-
-A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
-
-## Why are security baselines needed?
-
-Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers.
-
-For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.
-
-In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups.
-
-## How can you use security baselines?
-
-You can use security baselines to:
-- Ensure that user and device configuration settings are compliant with the baseline.
-- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
-
-## Where can I get the security baselines?
-
-You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.
-
-The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.
-
-[](security-compliance-toolkit-10.md)
-[](get-support-for-security-baselines.md)
-
-## Community
-
-[](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines)
-
-## Related Videos
-
-You may also be interested in this msdn channel 9 video:
-- [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO)
-
-## See Also
-
-- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
-- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
-- [Configuration Management for Nano Server](/archive/blogs/grouppolicy/configuration-management-on-servers/)
-- [Microsoft Security Guidance Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
-- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
-- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml b/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml
deleted file mode 100644
index f7e0955409..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: Windows security guidance for enterprises
- items:
- - name: Windows security baselines
- href: windows-security-baselines.md
- items:
- - name: Security Compliance Toolkit
- href: security-compliance-toolkit-10.md
- - name: Get support
- href: get-support-for-security-baselines.md
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index d86c9170f6..4881edff29 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -13,7 +13,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/25/2018
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Get Support
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index dc7c58f214..46cc0e4626 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -13,7 +13,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/26/2018
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Microsoft Security Compliance Toolkit 1.0
@@ -27,6 +27,8 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
+- Windows 11 security baseline
+
- Windows 10 security baselines
- Windows 10 Version 1909 (November 2019 Update)
- Windows 10 Version 1903 (April 2019 Update)
@@ -48,7 +50,7 @@ The Security Compliance Toolkit consists of:
- Office 2016
- Microsoft Edge security baseline
- - Edge Browser Version 80
+ - Edge Browser Version 93
- Tools
- Policy Analyzer tool
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 170918a4fa..7d1c42a7bb 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -11,22 +11,17 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 06/25/2018
+ms.date:
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Windows security baselines
-**Applies to**
-
-- Windows 10
-- Windows Server 2016
-- Office 2016
## Using security baselines in your organization
-Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.
+Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.
Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
@@ -56,12 +51,13 @@ You can use security baselines to:
## Where can I get the security baselines?
-You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.
+There are several ways to get and use security baselines:
-The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.
+1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md)
-[](security-compliance-toolkit-10.md)
-[](get-support-for-security-baselines.md)
+2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline.md) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool.
+
+3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all.md).
## Community
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
new file mode 100644
index 0000000000..6792a8df14
--- /dev/null
+++ b/windows/security/trusted-boot.md
@@ -0,0 +1,40 @@
+---
+title: Secure Boot and Trusted Boot
+description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/21/2021
+ms.prod: m365-security
+ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.collection:
+ms.custom:
+ms.reviewer: jsuther
+f1.keywords: NOCSH
+---
+
+# Secure Boot and Trusted Boot
+
+*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.*
+
+Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.
+
+## Secure Boot
+
+The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
+
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with.
+
+## Trusted Boot
+
+Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+
+Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
+
+## See also
+
+[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
new file mode 100644
index 0000000000..1462084e1e
--- /dev/null
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -0,0 +1,71 @@
+---
+title: Zero Trust and Windows device health
+description: Describes the process of Windows device health attestation
+ms.reviewer:
+ms.topic: article
+manager: dansimp
+ms.author: dansimp
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: dansimp
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Zero Trust and Windows device health
+Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments.
+
+The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
+
+- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies.
+
+- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity.
+
+- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses.
+
+The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
+
+[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources.
+
+Windows 11 supports device health attestation, helping to confirm that devices are in a good state and have not been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
+
+Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process have not been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
+
+## Device health attestation on Windows
+ Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines:
+
+- If the device can be trusted
+- If the operating system booted correctly
+- If the OS has the right set of security features enabled
+
+These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device has not been tampered with.
+
+Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
+
+A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
+
+1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event.
+
+2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that is then sent to the attestation service.
+
+3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
+
+4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
+
+5. The attestation service does the following:
+
+ - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log.
+ - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM.
+ - Verify that the security features are in the expected states.
+
+6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
+
+7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
+
+8. Conditional access, along with device-compliance state then decides to allow or deny access.
+
+## Other Resources
+
+Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/).
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index a9ae9e12ba..176668f48e 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -3,8 +3,8 @@
- name: Windows 11
expanded: true
items:
- - name: Windows 11 overview
- href: windows-11.md
+ - name: What's new in Windows 11
+ href: windows-11-whats-new.md
- name: Windows 11 requirements
href: windows-11-requirements.md
- name: Plan for Windows 11
@@ -14,6 +14,8 @@
- name: Windows 10
expanded: true
items:
+ - name: What's new in Windows 10, version 21H2
+ href: whats-new-windows-10-version-21H2.md
- name: What's new in Windows 10, version 21H1
href: whats-new-windows-10-version-21H1.md
- name: What's new in Windows 10, version 20H2
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-snap-layouts.png b/windows/whats-new/images/windows-11-whats-new/windows-11-snap-layouts.png
new file mode 100644
index 0000000000..5ad38f511f
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-snap-layouts.png differ
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png
new file mode 100644
index 0000000000..3d018c0bda
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png differ
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png
new file mode 100644
index 0000000000..3014eebecf
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png differ
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-widgets.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-widgets.png
new file mode 100644
index 0000000000..37f68c5e31
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-widgets.png differ
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png
new file mode 100644
index 0000000000..1f997e62f9
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png differ
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-terminal-app.png b/windows/whats-new/images/windows-11-whats-new/windows-terminal-app.png
new file mode 100644
index 0000000000..6e11e7df54
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-terminal-app.png differ
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 375f946870..403244cfa4 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -27,8 +27,8 @@ landingContent:
linkLists:
- linkListType: overview
links:
- - text: Windows 11 overview
- url: windows-11.md
+ - text: What's new
+ url: windows-11-whats-new.md
- text: Windows 11 requirements
url: windows-11-requirements.md
- text: Plan for Windows 11
diff --git a/windows/whats-new/ltsc/TOC.yml b/windows/whats-new/ltsc/TOC.yml
index aaabcc56ee..d7d88350ef 100644
--- a/windows/whats-new/ltsc/TOC.yml
+++ b/windows/whats-new/ltsc/TOC.yml
@@ -1,6 +1,8 @@
- name: Windows 10 Enterprise LTSC
href: index.md
items:
+ - name: What's new in Windows 10 Enterprise LTSC 2021
+ href: whats-new-windows-10-2021.md
- name: What's new in Windows 10 Enterprise LTSC 2019
href: whats-new-windows-10-2019.md
- name: What's new in Windows 10 Enterprise LTSC 2016
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 7e088e312d..79aab127a3 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -8,7 +8,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.author: greglin
-manager: laurawi
+manager: dougeby
ms.localizationpriority: low
ms.topic: article
---
@@ -22,6 +22,7 @@ ms.topic: article
This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel.
+[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
[What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
[What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
@@ -35,14 +36,15 @@ The following table summarizes equivalent feature update versions of Windows 10
| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 |
| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 |
| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 |
+| Windows 10 Enterprise LTSC 2021 | Windows 10, Version 21H2 | 11/16/2021 |
->[!NOTE]
->The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
+> [!NOTE]
+> The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period.
->[!IMPORTANT]
->The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
+> [!IMPORTANT]
+> The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 256dad7a3a..20366cd3bd 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -36,11 +36,11 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
## Microsoft Intune
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
## Security
-This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
+This version of Windows 10 includes security improvements for threat protection, information protection, and identity protection.
### Threat protection
@@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection,
The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
-
+[  ](../images/wdatp.png#lightbox)
##### Attack surface reduction
@@ -188,26 +188,6 @@ This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocke
This feature will soon be enabled on Olympia Corp as an optional feature.
-#### Delivering BitLocker policy to AutoPilot devices during OOBE
-
-You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
-
-For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
-
-To achieve this:
-
-1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
-
-2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group.
-
- > [!IMPORTANT]
- > The encryption policy must be assigned to **devices** in the group, not users.
-
-3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
-
- > [!IMPORTANT]
- > If the ESP is not enabled, the policy will not apply before encryption starts.
-
### Identity protection
Improvements have been added are to Windows Hello for Business and Credential Guard.
@@ -288,24 +268,11 @@ A new security policy setting
We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
-
+> [!div class="mx-imgBorder"]
+> 
## Deployment
-### Windows Autopilot
-
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
-
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
-
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
-
-#### Autopilot Reset
-
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
-
### MBR2GPT.EXE
MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
new file mode 100644
index 0000000000..6364bc3fd1
--- /dev/null
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -0,0 +1,248 @@
+---
+title: What's new in Windows 10 Enterprise LTSC 2021
+ms.reviewer:
+manager: dougeby
+ms.author: greglin
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021.
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: low
+ms.topic: article
+---
+
+# What's new in Windows 10 Enterprise LTSC 2021
+
+**Applies to**
+- Windows 10 Enterprise LTSC 2021
+
+This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+
+> [!NOTE]
+> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
+
+The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, 21H1, and 21H2. Details about these enhancements are provided below.
+
+## Lifecycle
+
+> [!IMPORTANT]
+> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2) continues to have a [10 year lifecycle](/windows/iot/product-family/product-lifecycle?tabs=2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
+
+For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
+
+## Hardware security
+
+### System Guard
+
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
+
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO.
+
+With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones.
+
+There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon.
+
+## Operating system security
+
+### System security
+
+[Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
+
+### Encryption and data protection
+
+BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+
+### Network security
+
+#### Windows Defender Firewall
+
+Windows Defender Firewall now offers the following benefits:
+
+**Reduce risk**: Windows Defender Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
+
+**Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
+
+**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
+
+The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows.
+
+Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on other tools.
+
+Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](/windows/wsl/); You can add rules for WSL process, just like for Windows processes. For more information, see [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97).
+
+### Virus and threat protection
+
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+ - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
+ - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+
+**Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
+
+**Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+
+**Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+
+**Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+
+**Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
+
+> [!NOTE]
+> The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
+
+## Application security
+
+### App isolation
+
+[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
+
+#### Microsoft Defender Application Guard
+
+[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include:
+ - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
+ - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+
+ To try this extension:
+ 1. Configure Application Guard policies on your device.
+ 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
+ 3. Follow any additional configuration steps on the extension setup page.
+ 4. Reboot the device.
+ 5. Navigate to an untrusted site in Chrome and Firefox.
+
+ **Dynamic navigation**: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+
+Application Guard performance is improved with optimized document opening times:
+- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
+- A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle.
+- The performance of Robocopy is improved when copying files over 400 MB in size.
+
+[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
+
+**Application Guard now supports Office**: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
+
+### Application Control
+
+[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
+ - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+ - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
+ This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+
+## Identity and privacy
+
+### Secured identity
+
+Windows Hello enhancements include:
+- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
+- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
+- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
+- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+### Credential protection
+
+#### Windows Defender Credential Guard
+
+[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+
+### Privacy controls
+
+[Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
+
+## Cloud Services
+
+### Microsoft Endpoint Manager
+
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
+
+### Configuration Manager
+
+An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
+
+#### Microsoft Intune
+
+Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
+
+A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
+
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).
+
+For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
+
+### Mobile Device Management
+
+Mobile Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
+
+For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
+
+Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
+- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
+
+#### Key-rolling and Key-rotation
+
+This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+
+## Deployment
+
+### SetupDiag
+
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+
+### Reserved storage
+
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10.
+
+### Windows Assessment and Deployment Toolkit (ADK)
+
+A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2.
+
+### Microsoft Deployment Toolkit (MDT)
+
+For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
+
+### Windows Setup
+
+Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have improved language handling.
+
+Improvements in Windows Setup with this release also include:
+- Reduced offline time during feature updates
+- Improved controls for reserved storage
+- Improved controls and diagnostics
+- New recovery options
+
+For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
+
+## Microsoft Edge
+
+Microsoft Edge Browser support is now included in-box.
+
+### Microsoft Edge kiosk mode
+
+Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
+
+Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
+- Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+- Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
+
+## Windows Subsystem for Linux
+
+Windows Subsystem for Linux (WSL) is be available in-box.
+
+## Networking
+
+WPA3 H2E standards are supported for enhanced Wi-Fi security.
+
+## See Also
+
+[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 48bf6b509b..2cc76a97e8 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -273,32 +273,6 @@ Learn about the new Group Policies that were added in Windows 10, version 1703.
- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
-## Windows 10 Mobile enhancements
-
-### Lockdown Designer
-
-The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml).
-
-
-
-[Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer)
-
-### Other enhancements
-
-Windows 10 Mobile, version 1703 also includes the following enhancements:
-
-- SD card encryption
-- Remote PIN resets for Azure Active Directory accounts
-- SMS text message archiving
-- WiFi Direct management
-- OTC update tool
-- Continuum display management
- - Individually turn off the monitor or phone screen when not in use
- - individually adjust screen time-out settings
-- Continuum docking solutions
- - Set Ethernet port properties
- - Set proxy properties for the Ethernet port
-
## Miracast on existing wireless network or LAN
In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 80fd32b4a9..51abfb8e57 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -93,7 +93,7 @@ Microsoft Defender for Endpoint has been expanded with powerful analytics, secur
Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. For more information, see [Windows Defender Application Guard overview](/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview).
-### Window Defender Exploit Guard
+### Windows Defender Exploit Guard
Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/microsoft-365/security/defender-endpoint/enable-exploit-protection), [Attack surface reduction protection](/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction), [Controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access), and [Network protection](/microsoft-365/security/defender-endpoint/enable-network-protection).
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 6410248ff6..a00511c390 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
-manager: laurawi
+manager: dougeby
ms.author: greglin
ms.localizationpriority: high
ms.topic: article
@@ -247,7 +247,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables
>[!IMPORTANT]
>This is a private preview feature and therefore not meant or recommended for production purposes.
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows (for example, Azure AD temporary access pass). Going forward, web sign-in will be restricted to only support Azure AD temporary access pass.
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass.
**To try out web sign-in:**
1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 74eb1725e2..e3e4fd0740 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -35,21 +35,13 @@ This article lists new and updated features and content that are of interest to
- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-### Windows 10 Subscription Activation
-
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
-
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation).
-
### SetupDiag
-[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.4.1 is available.
-
-SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
### Reserved storage
-[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10.
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10.
## Servicing
@@ -102,7 +94,7 @@ The draft release of the [security configuration baseline settings](/archive/blo
- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+ - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
To try this extension:
1. Configure WDAG policies on your device.
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
new file mode 100644
index 0000000000..af508674f5
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -0,0 +1,78 @@
+---
+title: What's new in Windows 10, version 21H2 for IT pros
+description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+ms.reviewer:
+manager: dougeby
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: mandia
+author: MandiOhlinger
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# What's new in Windows 10, version 21H2
+
+**Applies to**:
+
+- Windows 10, version 21H2
+
+Windows 10, version 21H2 is the next feature update. This article lists the new and updated features IT Pros should know. Windows 10, version 21H2 is also known as the Windows 10 November 2021 Update. It includes all features and fixes in previous cumulative updates to Windows 10, version 21H1.
+
+Windows 10, version 21H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule:
+
+- **Windows 10 Professional**: Serviced for 18 months from the release date.
+- **Windows 10 Enterprise**: Serviced for 30 months from the release date.
+
+Windows 10, version 21H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/2021/11/16/how-to-get-the-windows-10-november-2021-update/) and [IT tools to support Windows 10, version 21H2 blog](https://aka.ms/tools-for-21h2).
+
+Devices running Windows 10, versions 2004, 20H2, and 21H1 can update quickly to version 21H2 using an enablement package. For more information, see [Feature Update through Windows 10, version 21H2 Enablement Package](https://support.microsoft.com/help/5003791).
+
+To learn more about the status of the November 2021 Update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Updates and servicing
+
+Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the Semi-Annual Channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
+
+Quality updates are still installed monthly on patch Tuesday.
+
+For more information, see:
+
+- [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions)
+- [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels)
+
+## GPU compute support for the Windows Subsystem for Linux
+
+Starting with Windows 10 version 21H2, the Windows Subsystem for Linux has full graphics processing unit (GPU) compute support. It was available to Windows Insiders, and is now available to everyone. The Linux binaries can use your Windows GPU, and run different workloads, including artificial intelligence (AI) and machine learning (ML) development workflows.
+
+For more information, and what GPU compute support means for you, see the [GPU accelerated ML training inside the Windows Subsystem for Linux blog post](https://blogs.windows.com/windowsdeveloper/2020/06/17/gpu-accelerated-ml-training-inside-the-windows-subsystem-for-linux/).
+
+## Get the latest CSPs
+
+The [KB5005101 September 1, 2021 update](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1) includes about 1400 CSPs that were made available to MDM providers.
+
+These CSPs are built in to Windows 10, version 21H2. These settings are available in Endpoint Manager in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis.
+
+For more information on the CSPs, see the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
+
+## Apps appear local with Azure Virtual Desktop
+
+Azure virtual desktop is a Windows client OS hosted in the cloud, and runs virtual apps. You use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+
+You can create Azure virtual desktops that run Windows 10 version 21H2.
+
+For more information, see:
+
+- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
+- [What's new in Azure Virtual Desktop?](/azure/virtual-desktop/whats-new)
+- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
+
+## Wi-Fi 6E support
+
+Also known as 802.11ax, Wi-Fi 6E support is built in to Windows 10, version 21H2. Wi-Fi 6E has new channel frequencies that are dedicated to 6E devices, and is more performant for apps that use more bandwidth.
+
+## Related articles
+
+- [Release notes for Microsoft Edge Stable Channel](/deployedge/microsoft-edge-relnote-stable-channel)
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 2aebecdb11..7841ae8015 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
-ms.date: 08/18/2021
ms.reviewer:
manager: laurawi
ms.localizationpriority: high
@@ -39,7 +38,7 @@ If you are looking for ways to optimize your approach to deploying Windows 11, o
As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible.
-Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.
+Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.
Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions.
@@ -57,8 +56,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad
- Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11.
> [!NOTE]
-> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
-> Also, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization.
+> Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business or Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization.
##### Unmanaged devices
@@ -85,7 +83,7 @@ The introduction of Windows 11 is also a good time to review your hardware refre
## Servicing and support
-Along with end-user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback.
+Along with user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback.
**Quality updates**: Windows 11 and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes.
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index b301ed3de2..401e92c65f 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
-ms.date: 09/03/2021
ms.reviewer:
manager: laurawi
ms.localizationpriority: high
@@ -36,25 +35,30 @@ The tools that you use for core workloads during Windows 10 deployments can stil
- If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
> [!NOTE]
- > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture.
+ > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture.
- If you use [Microsoft Endpoint Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
> [!NOTE]
- > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization.
+ > Configuration Manager will prompt you to accept the Microsoft Software License Terms on behalf of the users in your organization.
#### Cloud-based solutions
-- If you use Windows Update for Business policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1, but do not enable you to move between products (Windows 10 to Windows 11).
+- If you use Windows Update for Business policies, you will need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11).
+ - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
- In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**.
+
- The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product.
- For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version.
- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies.
-- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use feature update deployments to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11.
+- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
+
+ > [!NOTE]
+ > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy.
## Cloud-based management
-If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy.
+If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy.
The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them:
@@ -113,9 +117,9 @@ At a high level, the tasks involved are:
6. Test and support the pilot devices.
7. Determine broad deployment readiness based on the results of the pilot.
-## End-user readiness
+## User readiness
-Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
+Do not overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes.
- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.
- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices.
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index d9aa505720..da34c4fa6e 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -2,7 +2,7 @@
title: Windows 11 requirements
description: Hardware requirements to deploy Windows 11
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
author: greg-lindsay
ms.author: greglin
@@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020
- Windows 11
-This article lists the system requirements for Windows 11. Windows 11 is also supported on a virtual machine (VM).
+This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support).
## Hardware requirements
@@ -46,7 +46,7 @@ For information about tools to evaluate readiness, see [Determine eligibility](w
## Operating system requirements
-For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 20H1 or later.
+For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 2004 or later.
> [!NOTE]
> S mode is only supported on the Home edition of Windows 11.
@@ -80,6 +80,22 @@ Some features in Windows 11 have requirements beyond those listed above. See the
- **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct.
- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription.
+## Virtual machine support
+
+The following configuration requirements apply to VMs running Windows 11.
+
+- Generation: 2 \*
+- Storage: 64 GB or greater
+- Security: Secure Boot capable, virtual TPM enabled
+- Memory: 4 GB or greater
+- Processor: 2 or more virtual processors
+
+The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements).
+
+\* In-place upgrade of existing generation 1 VMs to Windows 11 is not possible.
+
+> [!NOTE]
+> Procedures to configure required VM settings depend on the VM host type. For VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version.
## Next steps
@@ -89,5 +105,5 @@ Some features in Windows 11 have requirements beyond those listed above. See the
## See also
[Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
-[Windows 11 overview](windows-11.md)
+[What's new in Windows 11 overview](windows-11-whats-new.md)
diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md
new file mode 100644
index 0000000000..af406cd7e7
--- /dev/null
+++ b/windows/whats-new/windows-11-whats-new.md
@@ -0,0 +1,219 @@
+---
+title: Windows 11, what's new and overview for administrators
+description: Learn more about what's new in Windows 11. Read about see the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
+ms.reviewer:
+manager: dougeby
+ms.audience: itpro
+author: MandiOhlinger
+ms.author: mandia
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: itpro
+ms.topic: article
+ms.custom:
+---
+
+# What's new in Windows 11
+
+**Applies to**:
+
+- Windows 11
+
+Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition and update to what you know, and what you're familiar with.
+
+It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
+
+Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Endpoint Manager. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices.
+
+This article lists what's new, and some of the features & improvements. For more information on what's new for OEMs, see [What's new in manufacturing, customization, and design](/windows-hardware/get-started/what-s-new-in-windows).
+
+## Security and scanning
+
+The security and privacy features in Windows 11 are similar to Windows 10. Security for your devices starts with the hardware, and includes OS security, application security, and user & identity security. There are features available in the Windows OS to help in these areas. This section describes some of these features. For a more comprehensive view, including zero trust, see [Windows security](/windows/security/).
+
+- The **Windows Security** app is built into the OS. This app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more.
+
+ For more information, see [the Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).
+
+- **Security baselines** includes security settings that already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines.
+
+ For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines).
+
+- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If your devices are managed with Endpoint Manager, you can create policies based on threat levels found in Microsoft Defender for Endpoint.
+
+ For more information, see:
+
+ - [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)
+ - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
+ - [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection)
+
+- The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more.
+
+ For more information, see [Windows application security](/windows/security/apps).
+
+- **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices.
+
+ As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Endpoint Manager work together to remove passwords, create more secure policies, and help enforce compliance.
+
+ For more information, see:
+
+ - [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview)
+ - [Trusted Platform Module Technology Overview](/windows/security/information-protection/tpm/trusted-platform-module-overview)
+ - [Integrate Windows Hello for Business with Endpoint Manager](/mem/intune/protect/windows-hello)
+
+For more information on the security features you can configure, manage, and enforce using Endpoint Manager, see [Protect data and devices with Microsoft Endpoint Manager](/mem/intune/protect/device-protect).
+
+## Easier access to new services, and services you already use
+
+- **Windows 365** is a desktop operating system that's also a cloud service. From another internet-connected device, including Android and macOS devices, you can run Windows 365, just like a virtual machine.
+
+ For more information, see [What is Windows 365 Enterprise?](/windows-365/overview).
+
+- **Microsoft Teams** is included with the OS, and is automatically available on the taskbar. Users select the chat icon, sign in with their personal Microsoft account, and start a call:
+
+ :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png" alt-text="On the Windows 11 taskbar, select the camera chat icon to start a Microsoft Teams call.":::
+
+ This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Endpoint Manager. For more information, see:
+
+ - [Get started with Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started)
+ - [Add Microsoft 365 apps to Windows 10 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365)
+ - [Install Microsoft Teams using Microsoft Endpoint Configuration Manager](/microsoftteams/msi-deployment)
+
+ Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. Admins can [create a policy that pins apps, or removes the default pinned apps from the Taskbar](/windows/configuration/customize-taskbar-windows-11).
+
+- **Power Automate for desktop** is included with the OS. Your users can create flows with this low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more.
+
+ For more information, see [Getting started with Power Automate in Windows 11](/power-automate/desktop-flows/getting-started-windows-11).
+
+ Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**.
+
+## Customize the desktop experience
+
+- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize/maximize option. When you do, you can select a different layout for the app:
+
+ :::image type="content" source="./images/windows-11-whats-new/windows-11-snap-layouts.png" alt-text="In Windows 11, use the minimize or maximize button on an app to see the available snap layouts.":::
+
+ This feature allows users to customize the sizes of apps on their desktop. And, when you add other apps to the layout, the snapped layout stays in place.
+
+ When you add your apps in a Snap Layout, that layout is saved in a Snap Group. In the taskbar, when you hover over an app in an existing snap layout, it shows all the apps in that layout. This feature is the Snap Group. You can select the group, and the apps are opened in the same layout. As you add more Snap Groups, you can switch between them just by selecting the Snap Group.
+
+ Users can manage some snap features using the **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241).
+
+ You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu).
+
+- **Start menu**: The Start menu includes some apps that are pinned by default. You can customize the Start menu layout by pinning (and unpinning) the apps you want. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more.
+
+ Using policy, you can deploy your customized Start menu layout to devices in your organization. For more information, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11).
+
+ Users can manage some Start menu features using the **Settings** app > **Personalization**. For more information on the end-user experience, see [See what's on the Start menu](https://support.microsoft.com/windows/see-what-s-on-the-start-menu-a8ccb400-ad49-962b-d2b1-93f453785a13).
+
+- **Taskbar**: You can also pin (and unpin) apps on the Taskbar. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more.
+
+ Using policy, you can deploy your customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11).
+
+ Users can manage some Taskbar features using the **Settings** app > **Personalization**. For more information on the end-user experience, see:
+
+ - [Customize the taskbar notification area](https://support.microsoft.com/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3)
+ - [Pin apps and folders to the desktop or taskbar](https://support.microsoft.com/windows/pin-apps-and-folders-to-the-desktop-or-taskbar-f3c749fb-e298-4cf1-adda-7fd635df6bb0)
+
+- **Widgets**: Widgets are available on the Taskbar. It includes a personalized feed that could be weather, calendar, stock prices, news, and more:
+
+ :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-widgets.png" alt-text="On the Windows 11 taskbar, select the widgets icon to open and see the available widgets.":::
+
+ You can enable/disable this feature using the `Computer Configuration\Administrative Templates\Windows Components\widgets` Group Policy. You can also deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11).
+
+ For information on the end-user experience, see [Stay up to date with widgets](https://support.microsoft.com/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4).
+
+- **Virtual desktops**: On the Taskbar, you can select the Desktops icon to create a new desktop:
+
+ :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-virtual-desktops.png" alt-text="On the Windows 11 taskbar, select the desktop icon to create many virtual desktops.":::
+
+ Use the desktop to open different apps depending on what you're doing. For example, you can create a Travel desktop that includes web sites and apps that are focused on travel.
+
+ Using policy, you can deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11).
+
+ Users can manage some desktop features using **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Multiple desktops in Windows](https://support.microsoft.com/windows/multiple-desktops-in-windows-11-36f52e38-5b4a-557b-2ff9-e1a60c976434).
+
+## Use your same apps, and new apps, improved
+
+- Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can download and install **Android™️ apps** from the Microsoft Store. This feature is called the **Windows Subsystem for Android**, and allows users to use Android apps on their Windows devices, similar to other apps installed from the Microsoft Store.
+
+ Users open the Microsoft Store, install the **Amazon Appstore** app, and sign in with their Amazon account. When they sign in, they can search, download, and install Android apps.
+
+ For more information, see:
+
+ - [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
+ - [Windows Subsystem for Android developer information](/windows/android/wsa)
+
+- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
+
+ You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
+
+ In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.
+
+ Using an MDM provider, like Endpoint Manager, you can create policies that also manage some app settings. For a list of settings, see [App Store in Endpoint Manager](/mem/intune/configuration/device-restrictions-windows-10#app-store).
+
+- If you manage devices using Endpoint Manager, then you might be familiar with the **Company Portal app**. Starting with Windows 11, the Company Portal is your private app repository for your organization apps. For more information, see [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11).
+
+ For public and retail apps, continue using the Microsoft Store.
+
+- **Windows Terminal app**: This app is included with the OS. On previous Windows versions, it's a separate download in the Microsoft Store. For more information, see [What is Windows Terminal?](/windows/terminal/).
+
+ This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. And when you open a new tab, you can choose your command-line application:
+
+ :::image type="content" source="./images/windows-11-whats-new/windows-terminal-app.png" alt-text="On Windows 11, open the Windows Terminal app to use Windows PowerShell, the command prompt, or Azure Cloud Shell to run commands.":::
+
+ If users or groups in your organization do a lot with Windows PowerShell or the command prompt, then use policy to add the Windows Terminal app to the [Start menu layout](/windows/configuration/customize-start-menu-layout-windows-11) or the [Taskbar](/windows/configuration/customize-taskbar-windows-11).
+
+ Users can also search for the Terminal app, right-select the app, and pin the app to the Start menu and taskbar.
+
+- The **Microsoft Store** has a new look, and includes more public and retail apps. For more information on the end-user experience, see:
+
+ - [Get updates for apps and games in Microsoft Store](https://support.microsoft.com/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f)
+ - [How to open Microsoft Store on Windows](https://support.microsoft.com/account-billing/how-to-open-microsoft-store-on-windows-10-e080b85a-7c9e-46a7-8d8b-3e9a42e32de6)
+
+- The **Microsoft Edge** browser is included with the OS, and is the default browser. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL.
+
+ To save system resources, Microsoft Edge uses sleeping tabs. Users can configure these settings, and more, in `edge://settings/system`.
+
+ Using Group Policy or an MDM provider, such as Endpoint Manager, you can configure some Microsoft Edge settings. For more information, see [Microsoft Edge - Policies](/deployedge/microsoft-edge-policies) and [Configure Microsoft Edge policy settings](/mem/intune/configuration/administrative-templates-configure-edge).
+
+## Deployment and servicing
+
+- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Microsoft Deployment Toolkit (MDT), Configuration Manager, and more. Windows 11 will be delivered as an upgrade to eligible devices running Windows 10.
+
+ For more information on getting started, see [Windows client deployment resources and documentation](/windows/deployment/) and [Plan for Windows 11](windows-11-plan.md).
+
+ For more information on the end-user experience, see [Ways to install Windows 11](https://support.microsoft.com/windows/e0edbbfb-cfc5-4011-868b-2ce77ac7c70e).
+
+- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and pre-configure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins.
+
+ If you have a global or remote workforce, then Autopilot might be the right option to install the OS, and get it ready for use. For more information, see [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot).
+
+- **Microsoft Endpoint Manager** is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more.
+
+ If you currently use Group Policy to manage your Windows 10 devices, you can also use Group Policy to manage Windows 11 devices. In Endpoint Manager, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects.
+
+- **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
+
+ Like Windows 10, Windows 11 will receive monthly quality updates.
+
+ You have options to install updates on your Windows devices, including Endpoint Manager, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates).
+
+ Some updates are large, and use bandwidth. Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more.
+
+ For more information, see [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization).
+
+ For more information on the end-user experience, see:
+
+ - [Installation & updates](https://support.microsoft.com/office/installation-updates-2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11)
+ - [Manage updates in Windows](https://support.microsoft.com/windows/manage-updates-in-windows-643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)
+
+## Next steps
+
+- [Windows 11 requirements](windows-11-requirements.md)
+- [Plan for Windows 11](windows-11-plan.md)
+- [Prepare for Windows 11](windows-11-prepare.md)
+- [Windows release health](https://aka.ms/windowsreleasehealth)
diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md
deleted file mode 100644
index 77e2fa58a9..0000000000
--- a/windows/whats-new/windows-11.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Windows 11 overview
-description: Overview of Windows 11
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
-author: greg-lindsay
-ms.author: greglin
-ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: itpro
-ms.topic: article
-ms.custom: seo-marvel-apr2020
----
-
-# Windows 11 overview
-
-**Applies to**
-
-- Windows 11
-
-This article provides an introduction to Windows 11, and answers some frequently asked questions.
-
-Also see the following articles to learn more about Windows 11:
-
-- [Windows 11 requirements](windows-11-requirements.md): Requirements to deploy Windows 11.
-- [Plan for Windows 11](windows-11-plan.md): Information to help you plan for Windows 11 in your organization.
-- [Prepare for Windows 11](windows-11-prepare.md): Procedures to ensure readiness to deploy Windows 11.
-
-## Introduction
-
-Windows 11 is the next evolution of Windows; it is the most significant update to the Windows operating system since Windows 10. It offers many innovations focused on enhancing end-user productivity in a fresh experience that is flexible and fluid. Windows 11 is designed to support today's hybrid work environment, and intended to be the most reliable, secure, connected, and performant Windows operating system ever.
-
-Windows 11 is built on the same foundation as Windows 10, so the investments you have made in tools for update and device management are carried forward. Windows 11 also sustains the application compatibility promise made with Windows 10, supplemented by programs like App Assure. For Microsoft 365 customers seeking further assistance, FastTrack will continue to be available to support your efforts to adopt Windows 11.
-
-## How to get Windows 11
-
-Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows 11 will also be available on eligible new devices.
-
-For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md).
-
-For devices that are not managed by an organization, the Windows 11 upgrade will be offered to eligible Windows 10 devices through Windows Update using Microsoft's intelligent rollout process to ensure a smooth upgrade experience.
-
-For more information about device eligibility, see [Windows 11 requirements](windows-11-requirements.md).
-
-If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).
-
-If you are an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information, see [Manage Insider Preview builds across your organization](/windows-insider/business/manage-builds).
-
-## Before you begin
-
-The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11.
-
-#### Licensing
-
-There are no unique licensing requirements for Windows 11 beyond what is required for Windows 10 devices.
-
-Microsoft 365 licenses that include Windows 10 licenses will permit you to run Windows 11 on supported devices. If you have a volume license, it will equally cover Windows 11 and Windows 10 devices before and after upgrade.
-
-#### Compatibility
-
-Most accessories and associated drivers that work with Windows 10 are expected to work with Windows 11. Check with your accessory manufacturer for specific details.
-
-Windows 11 preserves the application compatibility promise made with Windows 10, and does not require changes to existing support processes or tooling to sustain the currency of applications and devices. Microsoft 365 customers can continue to use programs such as App Assure and FastTrack to support IT efforts to adopt and maintain Windows 11. For more information, see [Application compatibility](windows-11-plan.md#application-compatibility).
-
-#### Familiar processes
-
-Windows 11 is built on the same foundation as Windows 10. Typically, you can use the same tools and solutions you use today to deploy, manage, and secure Windows 11. Your current management tools and processes will also work to manage monthly quality updates for both Windows 10 and Windows 11.
-
-> [!IMPORTANT]
-> Check with the providers of any non-Microsoft security and management solutions that you use to ensure compatibility with Windows 11, particularly those providing security or data loss prevention capabilities.
-
-For more information, see [Prepare for Windows 11](windows-11-prepare.md).
-
-#### Servicing Windows 11
-
-Like Windows 10, Windows 11 will receive monthly quality updates. However, it will have a new feature update cadence. Windows 11 feature updates will be released once per year.
-
-When Windows 11 reaches general availability, important servicing-related announcements and information about known issues and safeguard holds can be found on the [Windows release health](https://aka.ms/windowsreleasehealth) hub. Monthly release notes will also be available from a consolidated Windows 11 update history page at that time. For more information, see [Servicing and support](windows-11-plan.md#servicing-and-support).
-
-## Next steps
-
-[Windows 11 requirements](windows-11-requirements.md)
-[Plan for Windows 11](windows-11-plan.md)
-[Prepare for Windows 11](windows-11-prepare.md)
-
-## Also see
-
-[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)
-[Windows 11 Security — Our Hacker-in-Chief Runs Attacks and Shows Solutions](https://www.youtube.com/watch?v=2RTwGNyhSy8)
-[Windows 11: The Optimization and Performance Improvements](https://www.youtube.com/watch?v=oIYHRRTCVy4)
Enable device setup if you want to configure settings on this page.If enabled:Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device. 
Enable network setup if you want to configure settings on this page.If enabled:Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Enable account management if you want to configure settings on this page. If enabled:You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 
You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with appsWarning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application. 
To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.
On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
Enter a device name. Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. 
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. 
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Yes or No to Configure devices for shared use. This setting optimizes Windows 10 for shared use scenarios. Learn more about shared PC configuration.You can also select to remove pre-installed software from the device. 
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Enable account management if you want to configure settings on this page. You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 
You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps. 
To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
**Figure 9 - Windows 10 Enterprise subscription in Settings**
+If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
->[!NOTE]
->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
->Name: Windows(R), Professional edition
->Description: Windows(R) Operating System, RETAIL channel
->Partial Product Key: 3V66T
+> [!NOTE]
+> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
+> Name: Windows(R), Professional edition
+> Description: Windows(R) Operating System, RETAIL channel
+> Partial Product Key: 3V66T
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth).
+Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
## Troubleshoot the user experience
-In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
+In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
-
-- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
+- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
diff --git a/windows/deployment/deploy-windows-cm/TOC.yml b/windows/deployment/deploy-windows-cm/TOC.yml
index 06bf59500f..f47a156a14 100644
--- a/windows/deployment/deploy-windows-cm/TOC.yml
+++ b/windows/deployment/deploy-windows-cm/TOC.yml
@@ -25,4 +25,4 @@
- name: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
href: replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
- name: Perform an in-place upgrade to Windows 10 using Configuration Manager
- href: upgrade-to-windows-10-with-configuraton-manager.md
+ href: upgrade-to-windows-10-with-configuration-manager.md
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 43b188d08e..34244e4af1 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -201,7 +201,7 @@ When the process is complete, you will have a new Windows 10 computer in your do
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index fecf1badde..51ff35f0c9 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1102(S): The audit log was cleared.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index 8d6a8dfd16..53c67d234b 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1104(S): The security log is now full.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index ca327249e4..ae939ee4ca 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1105(S): Event log automatic backup
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 440e411f38..7e9e4a1dd4 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 6372e6acc2..955c45883a 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4608(S): Windows is starting up.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index aba324fd61..4248720724 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4610(S): An authentication package has been loaded by the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index 50583e6f70..fe6ba0faa7 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index c4561550d5..151c9f9d71 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index ca4c161420..9b4a55bf5e 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4614(S): A notification package has been loaded by the Security Account Manager.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index 6c8f9cd7ac..ffcc91a1f2 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4615(S): Invalid use of LPC port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 690bde945f..4e13fb8824 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4616(S): The system time was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index c1bc41f942..f67334d36a 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4618(S): A monitored security event pattern has occurred.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index 9ffb0fee15..e4188be9df 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -7,18 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4621(S): Administrator recovered system from CrashOnAuditFail.
-**Applies to**
-- Windows 10
-- Windows Server 2016
This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index 46f54afcca..150ef448af 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4622(S): A security package has been loaded by the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
@@ -101,4 +97,4 @@ These are some Security Package DLLs loaded by default in Windows 10:
For 4622(S): A security package has been loaded by the Local Security Authority.
-- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not.
\ No newline at end of file
+- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index a61449dada..985c5b0e59 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4624(S): An account was successfully logged on.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index d613787ba3..9f97418b4d 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4625(F): An account failed to log on.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
@@ -186,7 +182,7 @@ This event generates on domain controllers, member servers, and workstations.
| 0x0 | Status OK. |
> [!NOTE]
-> To see the meaning of other status or substatus codes, you might also check for status code in the Window header file ntstatus.h in Windows SDK.
+> To see the meaning of other status or substatus codes, you might also check for status code in the Windows header file ntstatus.h in Windows SDK.
More information: 
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 4a4fce1919..b484de7d2d 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4627(S): Group membership information.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index b0541e2dbb..71887eccc4 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 11/20/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4634(S): An account was logged off.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 14dc2a7083..b30de5ea3f 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4647(S): User initiated logoff.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index 44eb565de4..7f4517f3d0 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4648(S): A logon was attempted using explicit credentials.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 06ae9ca1aa..f3b32117be 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4649(S): A replay attack was detected.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client.
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index 7332ad06b8..4da92be0ed 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4656(S, F): A handle to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index e0d0985203..9e788eb845 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4657(S): A registry value was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 85b56fb6d0..8f88502248 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4658(S): The handle to an object was closed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 7a921090fd..0be89f17f1 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4660(S): An object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index 27afd56d00..2485aae2b6 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4661(S, F): A handle to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index b9d488c090..5e9f6832a9 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4662(S, F): An operation was performed on an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index efa297ac08..8001bded3b 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4663(S): An attempt was made to access an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index 9c99e5f2bc..e998b508ce 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4664(S): An attempt was made to create a hard link.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index ea7d4dcf1e..059fde7e55 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4670(S): Permissions on an object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
index fb46f1fb5a..c1374cae22 100644
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ b/windows/security/threat-protection/auditing/event-4671.md
@@ -7,20 +7,16 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4671(-): An application attempted to access a blocked ordinal through the TBS.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
+*
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 479e31207b..af47315a26 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 12/20/2018
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4672(S): Special privileges assigned to new logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index cf5ef8d500..6252059b6d 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4673(S, F): A privileged service was called.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 734ce174c2..9f1b9914da 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4674(S, F): An operation was attempted on a privileged object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 0af7742f2c..47a81b9444 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4675(S): SIDs were filtered.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when SIDs were filtered for specific Active Directory trust.
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index fbb93d7b9b..fd44f24170 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4688(S): A new process has been created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index 99bee451d9..74412386d9 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4689(S): A process has exited.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
index d7a23d1da4..f588b637ce 100644
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ b/windows/security/threat-protection/auditing/event-4690.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4690(S): An attempt was made to duplicate a handle to an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index c7ea74bdd7..45e0209fc6 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4691(S): Indirect access to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 064c922cb4..f68457c377 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4692(S, F): Backup of data protection master key was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index 1359ef1968..21e769eae0 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4693(S, F): Recovery of data protection master key was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index 0b35bda1ba..1f64dc3491 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4694(S, F): Protection of auditable protected data was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index 9acd287be1..f4c77584c7 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4695(S, F): Unprotection of auditable protected data was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index f156dc723b..37ca02dd04 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4696(S): A primary token was assigned to process.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 870352146b..16ace0c0a6 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4697(S): A service was installed in the system.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 9ca662fa59..fae37ea9f2 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4698(S): A scheduled task was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index dd814dd942..dcea15f17d 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4699(S): A scheduled task was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index e72f7d19f0..2a46c16d19 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4700(S): A scheduled task was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index e407e2bbbb..e7bc488cc8 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4701(S): A scheduled task was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 15d128ceef..78fee18be6 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4702(S): A scheduled task was updated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index e8b7ecded9..938491bf3a 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4703(S): A user right was adjusted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index cb6b95669b..b76c240efe 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4704(S): A user right was assigned.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 5588e33560..b4ecb04b99 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4705(S): A user right was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index e0abbded89..5d2f62ef77 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4706(S): A new trust was created to a domain.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index f16f66bdcd..be0c79ea65 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4707(S): A trust to a domain was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index 032446b19b..d54358f133 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4713(S): Kerberos policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index d7c176a754..6ff804511a 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4714(S): Encrypted data recovery policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index d4e9d14839..6b6faa90fa 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4715(S): The audit policy (SACL) on an object was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 1cd47c82c4..7f058962db 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/04/2019
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4716(S): Trusted domain information was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index bd3378f122..33d3817929 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4717(S): System security access was granted to an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index 4c8c676ce4..a7e1307af2 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4718(S): System security access was removed from an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index 98469b6945..1a2dabdc7e 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4719(S): System audit policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index 1569aebb53..7e6fc9cb68 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4720(S): A user account was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index e156a9bedf..c29e7669bc 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4722(S): A user account was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
index 8a2eb1aa9b..1246930e5a 100644
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ b/windows/security/threat-protection/auditing/event-4723.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4723(S, F): An attempt was made to change an account's password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
index f360a13828..02d75f0b1d 100644
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ b/windows/security/threat-protection/auditing/event-4724.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4724(S, F): An attempt was made to reset an account's password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index 5be795b261..f5f7dac0af 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4725(S): A user account was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index f8f7ffba8c..0b050a132b 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4726(S): A user account was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
index 78d8e0e0c8..b4faf3a540 100644
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ b/windows/security/threat-protection/auditing/event-4731.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4731(S): A security-enabled local group was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index 2619367fa3..f81e218a6c 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4732(S): A member was added to a security-enabled local group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index 219ebdc036..a0d46b343b 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4733(S): A member was removed from a security-enabled local group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index df33b3726f..1e677a0bdc 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4734(S): A security-enabled local group was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index 14d1e6df28..a545b2f85b 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4735(S): A security-enabled local group was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index f62d7e4ba8..d78373e561 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4738(S): A user account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index e3268f4c69..23b0cf6823 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4739(S): Domain Policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index db7139e935..834f4b9ed5 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4740(S): A user account was locked out.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 6c83f23d1e..b35fb7facd 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4741(S): A computer account was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 5d0cda5110..1f1d3bee7a 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4742(S): A computer account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index 3402a5e1d7..76be20055b 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4743(S): A computer account was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
index 478ae9e021..71f28544ca 100644
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ b/windows/security/threat-protection/auditing/event-4749.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4749(S): A security-disabled global group was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index 1a8a03f92a..28a17fc94c 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4750(S): A security-disabled global group was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index cc06f2ae5d..d698721321 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4751(S): A member was added to a security-disabled global group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index ef79c01bca..2aa9dcd01a 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4752(S): A member was removed from a security-disabled global group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index 45b9de0d33..d8bb64a34a 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4753(S): A security-disabled global group was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 3b50ba9bf1..2cd0957d10 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -7,18 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4764(S): A group’s type was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index ff685d9081..f171b29603 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4765(S): SID History was added to an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when [SID History](/windows/win32/adschema/a-sidhistory) was added to an account.
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
index 7593423b22..9b0d0db5fe 100644
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ b/windows/security/threat-protection/auditing/event-4766.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4766(F): An attempt to add SID History to an account failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when an attempt to add [SID History](/windows/win32/adschema/a-sidhistory) to an account failed.
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index cf7b13e4f0..a7b6929712 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4767(S): A user account was unlocked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 64156ecd85..6846561482 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 10/20/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
:::image type="content" alt-text="Event 4768 illustration." source="images/event-4768.png":::
@@ -33,7 +29,7 @@ This event generates only on domain controllers.
If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
-This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
+This event doesn't generate for **Result Codes**: 0x10 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index 5c460724b8..c3ad787f9e 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4769(S, F): A Kerberos service ticket was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index ac38dc82f9..40f752135e 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4770(S): A Kerberos service ticket was renewed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index c5aea23ecb..e2b66d8905 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 07/23/2020
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4771(F): Kerberos pre-authentication failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
index 2124b16bb1..384ea2a5e0 100644
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ b/windows/security/threat-protection/auditing/event-4772.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4772(F): A Kerberos authentication ticket request failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
index ba672478d8..35ad7f2c6e 100644
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ b/windows/security/threat-protection/auditing/event-4773.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4773(F): A Kerberos service ticket request failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index 08eb0fe72f..d7e73812a8 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -7,18 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4774(S, F): An account was mapped for logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx).
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
index cf27ccdf2a..b635329953 100644
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ b/windows/security/threat-protection/auditing/event-4775.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4775(F): An account could not be mapped for logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index 8b9727aaa0..06430da291 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -11,15 +11,11 @@ ms.date: 09/13/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4776(S, F): The computer attempted to validate the credentials for an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
index 28a4b42d08..74b68ee4d4 100644
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ b/windows/security/threat-protection/auditing/event-4777.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4777(F): The domain controller failed to validate the credentials for an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index 8293e41487..085731bdc1 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4778(S): A session was reconnected to a Window Station.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index 29836498cc..ab9e18736c 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4779(S): A session was disconnected from a Window Station.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index 00faedae10..eb96a39284 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4780(S): The ACL was set on accounts which are members of administrators groups.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index 2adb3bcac5..9cea675049 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4781(S): The name of an account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index e0ecc19336..1079ddc301 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4782(S): The password hash of an account was accessed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index 4b75a802d5..13abde059c 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4793(S): The Password Policy Checking API was called.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
index 6e585048c1..a96c2d8aa5 100644
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ b/windows/security/threat-protection/auditing/event-4794.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
index 3fddfd9b65..d3885f4283 100644
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ b/windows/security/threat-protection/auditing/event-4798.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4798(S): A user's local group membership was enumerated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
index 18b337fcdc..1bdc01b928 100644
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ b/windows/security/threat-protection/auditing/event-4799.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4799(S): A security-enabled local group membership was enumerated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index 92c543f8b0..205a90c987 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4800(S): The workstation was locked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index ed7c8ec85c..0bfcfb1278 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4801(S): The workstation was unlocked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index 9f5fa2b8e3..78cf0e5d14 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4802(S): The screen saver was invoked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index 20304e4527..94aed424ab 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4803(S): The screen saver was dismissed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
index 9e36c52bb1..93576951c1 100644
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ b/windows/security/threat-protection/auditing/event-4816.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This message generates if RPC detected an integrity violation while decrypting an incoming message.
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index 0b0fc16bf7..dc9c07fb24 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4817(S): Auditing settings on object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index 05266e39e5..5ced098023 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index 3751b39e45..882622efa4 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4819(S): Central Access Policies on the machine have been changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 2e78b4c653..136684f355 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4826(S): Boot Configuration Data loaded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index ca1995291e..ea84a736a0 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4864(S): A namespace collision was detected.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is generated when a namespace collision was detected.
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
index 063eb88afc..a7e2a7189e 100644
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ b/windows/security/threat-protection/auditing/event-4865.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4865(S): A trusted forest information entry was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
index 922d662887..bd5bfba999 100644
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ b/windows/security/threat-protection/auditing/event-4866.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4866(S): A trusted forest information entry was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
index a8fdb4a693..170868681f 100644
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ b/windows/security/threat-protection/auditing/event-4867.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4867(S): A trusted forest information entry was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
index d5a7640b84..89eeb36eb6 100644
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ b/windows/security/threat-protection/auditing/event-4902.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4902(S): The Per-user audit policy table was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
index 268606eab6..02109612fd 100644
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ b/windows/security/threat-protection/auditing/event-4904.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4904(S): An attempt was made to register a security event source.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
index 65338f9f64..ead69b632a 100644
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ b/windows/security/threat-protection/auditing/event-4905.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4905(S): An attempt was made to unregister a security event source.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
index 49269c1eb3..676c32fbcc 100644
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ b/windows/security/threat-protection/auditing/event-4906.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4906(S): The CrashOnAuditFail value has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index e8f78c11b1..3ae2c8793f 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4907(S): Auditing settings on object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 3a12a949e0..e59ae0559b 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4908(S): Special Groups Logon table modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
index 9c3b067418..f85c02b5ec 100644
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ b/windows/security/threat-protection/auditing/event-4909.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4909(-): The local policy settings for the TBS were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
index 948c3a6dab..0cdca35e3e 100644
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ b/windows/security/threat-protection/auditing/event-4910.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4910(-): The group policy settings for the TBS were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index cf47c889e0..aeeaa0fdc0 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4911(S): Resource attributes of the object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index e4bc6d9d43..614b73a93f 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4912(S): Per User Audit Policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 51ff7291cb..bcc4c7eeee 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4913(S): Central Access Policy on the object was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 166bc42cf3..2899b77a51 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4928(S, F): An Active Directory replica source naming context was established.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index ab04f9ab17..8d4802ca42 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4929(S, F): An Active Directory replica source naming context was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index 3897b1bd01..ad5d6086a1 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4930(S, F): An Active Directory replica source naming context was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index dfb00ceb91..39a7be5a64 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4931(S, F): An Active Directory replica destination naming context was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index 13f42ce386..b686a7b13c 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index b4f0784a45..7fb4991241 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
index ffc4b9b4a3..65521bb868 100644
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ b/windows/security/threat-protection/auditing/event-4934.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4934(S): Attributes of an Active Directory object were replicated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when attributes of an Active Directory object were replicated.
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index f2910784e6..c939bc09ed 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4935(F): Replication failure begins.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index 3f808bf11d..37b1c8ca83 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4936(S): Replication failure ends.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when Active Directory replication failure ends.
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
index 2775be1c5d..f80f44586e 100644
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ b/windows/security/threat-protection/auditing/event-4937.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4937(S): A lingering object was removed from a replica.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when a [lingering object](https://support.microsoft.com/kb/910205) was removed from a replica.
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
index 3821d18e1b..34ca3f9e47 100644
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ b/windows/security/threat-protection/auditing/event-4944.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4944(S): The following policy was active when the Windows Firewall started.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
index da8105bffc..f5581407ab 100644
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ b/windows/security/threat-protection/auditing/event-4945.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4945(S): A rule was listed when the Windows Firewall started.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
index 30ae25fd28..505cec18fb 100644
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ b/windows/security/threat-protection/auditing/event-4946.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index b38eef6371..7d09cf4d23 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
index 5f92a37c6a..65c71e3cd4 100644
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ b/windows/security/threat-protection/auditing/event-4948.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
index e304844bc8..617b780983 100644
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ b/windows/security/threat-protection/auditing/event-4949.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4949(S): Windows Firewall settings were restored to the default values.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
index 54ead99c65..69db4a04e2 100644
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ b/windows/security/threat-protection/auditing/event-4950.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4950(S): A Windows Firewall setting has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
index 4a2c32b9e2..060b9c4b83 100644
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ b/windows/security/threat-protection/auditing/event-4951.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index 150a0ac97d..3c9322ae26 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 38d9aa6a3d..2d31faae0c 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4953(F): Windows Firewall ignored a rule because it could not be parsed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
index 99bb6457e2..67a7f024aa 100644
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ b/windows/security/threat-protection/auditing/event-4954.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
index 34d36fa5d0..bc90d17945 100644
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ b/windows/security/threat-protection/auditing/event-4956.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4956(S): Windows Firewall has changed the active profile.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
index 8b822ee84c..b83701e32b 100644
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ b/windows/security/threat-protection/auditing/event-4957.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4957(F): Windows Firewall did not apply the following rule.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
index 05922fd7a7..3fc2c85a83 100644
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ b/windows/security/threat-protection/auditing/event-4958.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied.
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index 0ee97ac194..969c9e219b 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4964(S): Special groups have been assigned to a new logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index c57db1916e..6af088c0bd 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 4985(S): The state of a transaction has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
index b24cd95e31..46c44da725 100644
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ b/windows/security/threat-protection/auditing/event-5024.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5024(S): The Windows Firewall Service has started successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
index a9a3c5e14b..fbc702ac8e 100644
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ b/windows/security/threat-protection/auditing/event-5025.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5025(S): The Windows Firewall Service has been stopped.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index 4ea2177c6b..47a348cf77 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
index 9ab51ca985..65d5204a98 100644
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ b/windows/security/threat-protection/auditing/event-5028.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
index 46d9b7b3e7..89b6ca69bb 100644
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ b/windows/security/threat-protection/auditing/event-5029.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs an error if either the Windows Firewall service or its driver fails to start, or if they unexpectedly terminate. The error message indicates the cause of the service failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
index de68bc30db..9216275f2d 100644
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ b/windows/security/threat-protection/auditing/event-5030.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5030(F): The Windows Firewall Service failed to start.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index df9881e050..b54933cde7 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -10,17 +10,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.technology: mde
+ms.date: 09/08/2021
+ms.technology: windows-sec
---
# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-- Windows Server 2012 R2
-- Windows Server 2012
-
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
index a356c6ba72..c8b0bff151 100644
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ b/windows/security/threat-protection/auditing/event-5032.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future.
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
index 05552da629..dfbbcae025 100644
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ b/windows/security/threat-protection/auditing/event-5033.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5033(S): The Windows Firewall Driver has started successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
index 7cef4c54e0..e0815c5bd1 100644
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ b/windows/security/threat-protection/auditing/event-5034.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5034(S): The Windows Firewall Driver was stopped.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
index 6b9d8a9488..c6a382c517 100644
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ b/windows/security/threat-protection/auditing/event-5035.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5035(F): The Windows Firewall Driver failed to start.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
index a189ce3f21..d3542cd1d7 100644
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ b/windows/security/threat-protection/auditing/event-5037.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index 2dc28bef2e..dbb32f1459 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index fda19e5f16..7194197d62 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5039(-): A registry key was virtualized.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index 3ac07671d2..67f25e7071 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5051(-): A file was virtualized.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index a717d05e4a..59e64af10b 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5056(S): A cryptographic self-test was performed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
index c83ca8bd2e..625c998826 100644
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ b/windows/security/threat-protection/auditing/event-5057.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5057(F): A cryptographic primitive operation failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in case of CNG primitive operation failure.
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index b351ee93e6..7d3c14f3cc 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5058(S, F): Key file operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index 5881e672d5..3c79abb5d0 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5059(S, F): Key migration operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 11b9903d5d..9497f26ebf 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5060(F): Verification operation failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when the Cryptographic Next Generation (CNG) verification operation fails.
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index 7612017713..f90e6fd02e 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5061(S, F): Cryptographic operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
index e397844d41..3ac8412240 100644
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ b/windows/security/threat-protection/auditing/event-5062.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5062(S): A kernel-mode cryptographic self-test was performed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event occurs rarely, and in some situations may be difficult to reproduce.
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index e06e3118a6..7fc9f07b38 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5063(S, F): A cryptographic provider operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 077fadf9f7..0640bde11a 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5064(S, F): A cryptographic context operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 3a64e39e7f..99731361a2 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5065(S, F): A cryptographic context modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index 52fca7414b..a0faa27390 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5066(S, F): A cryptographic function operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index 245b241e69..82bd2b643c 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5067(S, F): A cryptographic function modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index 1cb02be991..54cfae4b8f 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5068(S, F): A cryptographic function provider operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index 742188905d..6a762e71a3 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5069(S, F): A cryptographic function property operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index 9893a7116b..2a77163002 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5070(S, F): A cryptographic function property modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index 1b62c11bab..5e7db9c0ed 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5136(S): A directory service object was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index 0146958e61..eea8bf1a17 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5137(S): A directory service object was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index 2553251b75..d9f97a7475 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5138(S): A directory service object was undeleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index c7f306eab0..3333139144 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5139(S): A directory service object was moved.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index 199e5a4cd7..29641fcca5 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5140(S, F): A network share object was accessed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index 7d85f444d4..11cada8ab0 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5141(S): A directory service object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index d29c26ddc4..c5503ee4fa 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5142(S): A network share object was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index bc8f827e03..bf370fffc3 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5143(S): A network share object was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 886dc70759..6d117910a1 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5144(S): A network share object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 933ab84191..8584f3f782 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5145(S, F): A network share object was checked to see whether client can be granted desired access.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index 23a31eb1a6..094f91e5f3 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 05/29/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected.
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
index 04f6c8747a..3be32e2a0c 100644
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ b/windows/security/threat-protection/auditing/event-5149.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 05/29/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5149(F): The DoS attack has subsided and normal processing is being resumed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended.
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 7e8b6a5cc1..fd48f85788 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5150(-): The Windows Filtering Platform blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if the Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 611541553e..ea0b6f1ba5 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if a more restrictive Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index cb8da40be3..1e2cec8711 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5152(F): The Windows Filtering Platform blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index ce3f53f60d..f9e60da5a0 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index ea9c8ea638..4cd691deaf 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index d00134db41..b4626b59c1 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself.
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index b7aa9709b2..f19c968a01 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5156(S): The Windows Filtering Platform has permitted a connection.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 73d84e9d53..e860f2729c 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5157(F): The Windows Filtering Platform has blocked a connection.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index d863b08c36..f2a088807e 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index fb896131ac..c66d53025f 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index bb9371baff..2fcad0a7f5 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5168(F): SPN check for SMB/SMB2 failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index 3cbb58cf29..bc903c2a89 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5376(S): Credential Manager credentials were backed up.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index 3be670da7b..0041df606e 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5377(S): Credential Manager credentials were restored from a backup.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index 0025f40837..10f783e194 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5378(F): The requested credentials delegation was disallowed by policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index 2b5c265e83..e20265f6c6 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5447(S): A Windows Filtering Platform filter has been changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index ad0e108238..565ff56e44 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5632(S, F): A request was made to authenticate to a wireless network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index ba78854b75..8c8496f31b 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5633(S, F): A request was made to authenticate to a wired network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index 5bb81e6f09..f3b0737f54 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5712(S): A Remote Procedure Call (RPC) was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 8d2ea38fcb..13679d5290 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5888(S): An object in the COM+ Catalog was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index e3d65ee453..afcf23ffbe 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5889(S): An object was deleted from the COM+ Catalog.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index 9b7a9f515c..8bf8b1a673 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 5890(S): An object was added to the COM+ Catalog.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index 7565e8f794..045943bcdf 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6144(S): Security policy in the group policy objects has been applied successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index b70a0844a2..17484bcaf1 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index e6ec5bea59..a4404d8d5d 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index 511aeb3ae9..4579bf3a3f 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 829c3215c9..b7e9be68fc 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 2aee0f9232..43c3c34353 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index ec9028c852..d2fdd63838 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index eaa912b6e3..8398476eb6 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index fc188cce3b..e8efbf0ec1 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index 689085b2fd..5f556714d7 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index 3273efaba1..a5d377eb0e 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6407(-): 1%.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index 7b29a0468c..24596eef2a 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index 6855ea810d..776b12553b 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6409(-): BranchCache: A service connection point object could not be parsed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index a306a98882..bc2da0e57f 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
index 4b85673aa7..add5982ef7 100644
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ b/windows/security/threat-protection/auditing/event-6416.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6416(S): A new external device was recognized by the System.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
index 90c145ff77..0e7f44d997 100644
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ b/windows/security/threat-protection/auditing/event-6419.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6419(S): A request was made to disable a device.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 51570d3ab3..f8cccf22a7 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6420(S): A device was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
index ef4e0b856f..5b0e22342b 100644
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ b/windows/security/threat-protection/auditing/event-6421.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6421(S): A request was made to enable a device.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index 2b2f45d1b8..70ba147ede 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6422(S): A device was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
index 3332a01011..10cf86de89 100644
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ b/windows/security/threat-protection/auditing/event-6423.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6423(S): The installation of this device is forbidden by system policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
index 8ca1ce36d6..13af19c639 100644
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ b/windows/security/threat-protection/auditing/event-6424.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event occurs rarely, and in some situations may be difficult to reproduce.
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
index 1093140e38..a5df9bf707 100644
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# File System (Global Object Access Auditing)
-**Applies to**
-- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index 1efc819647..b8cc2220c9 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -7,17 +7,15 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
-ms.date: 10/22/2018
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# How to get a list of XML data name elements in EventData
-**Applies to**
-- Windows 10
The Security log uses a manifest where you can get all of the event schema.
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 3c07a1dae0..3dc75d64ed 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor central access policy and rule definitions
-**Applies to**
-- Windows 10
This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
index baf7d9e8a7..643795c7e2 100644
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ b/windows/security/threat-protection/auditing/monitor-claim-types.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor claim types
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
index ed4d03037f..1be153db59 100644
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor resource attribute definitions
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index f034f7c0fc..83ab6f2561 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor the central access policies associated with files and folders
-**Applies to**
-- Windows 10
This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index 12dedf0d60..a1780808e5 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor the central access policies that apply on a file server
-**Applies to**
-- Windows 10
This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management.
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
index f1676a1640..20be28d785 100644
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor the resource attributes on files and folders
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 04ac1c7929..ac76e18a1a 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date:
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor the use of removable storage devices
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
index edaf8e590f..865b1b5aaf 100644
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Monitor user and device claims during sign-in
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
index e74cf80553..12044634fd 100644
--- a/windows/security/threat-protection/auditing/other-events.md
+++ b/windows/security/threat-protection/auditing/other-events.md
@@ -7,19 +7,15 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Other Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Events in this section generate automatically and are enabled by default.
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index 068c8792d4..4f9f9b93e8 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Plan and deploy advanced security audit policies
-**Applies to**
-- Windows 10
This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
index 3c5c1ece1e..cd2acc181e 100644
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Registry (Global Object Access Auditing)
-**Applies to**
-- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer.
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index ec89d5ef53..1c305a4439 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Security auditing
-**Applies to**
-- Windows 10
Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 6e90c989e0..fe06c5d1a4 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Using advanced security auditing options to monitor dynamic access control objects
-**Applies to**
-- Windows 10
This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index 84a296e182..e934463906 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# View the security event log
-**Applies to**
-- Windows 10
The security log records each event as defined by the audit policies you set on each object.
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index 4b20841dd8..7917a249c2 100644
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
-ms.technology: mde
+ms.date: 09/09/2021
+ms.technology: windows-sec
---
# Which editions of Windows support advanced audit policy configuration
-**Applies to**
-- Windows 10
Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
There is no difference in security auditing support between 32-bit and 64-bit versions.
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index c1ffec9b59..7057f8c90f 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -13,7 +13,7 @@ author: dansimp
ms.author: dansimp
ms.date: 08/14/2017
ms.localizationpriority: medium
-ms.technology: mde
+ms.technology: windows-sec
---
# Block untrusted fonts in an enterprise
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index ea4b252a30..ea7806d09a 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -12,7 +12,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/30/2021
ms.reviewer:
-ms.technology: mde
+ms.technology: windows-sec
---
# Enable virtualization-based protection of code integrity
@@ -54,8 +54,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
### Enable HVCI using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
+
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
+
3. Double-click **Turn on Virtualization Based Security**.
+
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
@@ -71,14 +74,17 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> [!IMPORTANT]
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
